A couple of weeks ago, researchers identified the previously unknown ransomware group Atom Silo. They call it an ultra-stealthy adversary.
Atom Silo has emerged with its own bag of novel and sophisticated tactics, techniques, and procedures. These procedures were full of twists and turns, and challenging to spot – probably intentionally so, Sophos senior threat researcher Sean Gallagher claims in a report published on Tuesday.
The report dives into how the attack took place, leveraging a recently discovered vulnerability in Atlassian’s Confluence collaboration software. In August, Confluence - a web-based corporate wiki developed by Australian software company Atlassian - issued an advisory detailing the vulnerability CVE-2021-26084 being exploited in the wild and leaving Confluence servers and data centers exposed.
The ransomware used by the Atom Silo group is virtually identical to LockFile, the report details, but their intrusion stage involved several novel techniques and complex maneuvers to evade detection and complete the attack.
“For instance, once they had gained initial access via a backdoor into the Confluence server, the attackers were able to drop and install a second, stealthy backdoor. This backdoor used an executable from a legitimate third-party software product that was vulnerable to DLL “side-load” attacks to execute the backdoor code,” the report reads.
The ransomware payload included a malicious kernel driver designed to disrupt endpoint protection software. The backdoor connected to a remote command-and-control server over TCP/IP port 80 and allowed for remote execution of Windows shell commands through the Windows Management Interface (WMI).
“The attackers then moved laterally through the network and compromised additional servers, installing additional backdoors through the WMI interface, using a compromised administrative account. For the most part, the attackers avoided installing these backdoors as services,” Sophos researchers believe the attackers did this to avoid detection by security controls.
The attackers also used remote desktop services (RDP) to find, copy (using RClone) and exfiltrate data to Dropbox. The ransomware executable was released after exfiltration, at the same time as the release of another file designed to disrupt endpoint protection.
“Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware.
This incident is also a good reminder of how dangerous publicly disclosed security vulnerabilities in internet-facing software are when left unpatched, even for a relatively short time. In this case, the vulnerability opened the door to two simultaneous but unrelated attacks from ransomware and a crypto-miner,” Gallagher said.
More from CyberNews:
Subscribe to our newsletter