Senior threat researcher Sean Gallagher and his colleague Vikas Singh said a second backdoor was used in the attack, though they did not specify which software was the entry point, only saying three files were used, one being "a legitimate, signed executable from a third-party software provider that is vulnerable to an unsigned DLL sideload attack".
The DLL spoofed a library needed by the application's executable and was placed in the same folder on the targeted server as the vulnerable executable.
"This attack technique, known as DLL search order hijacking (ATT&CK T1574.001), is a well-worn technique recently observed in LockFile ransomware attacks leveraging the ProxyShell vulnerability," Gallagher and Singh wrote in their detailed blog post.
After this loaded, Windows shell commands could be executed remotely through the Windows Management Interface.
Lateral movement was then undertaken by the intruders and a number of additional servers were compromised in the next five hours. Information was gathered from the logs of the compromised servers: user credentials, accounts that were locked out and characteristics of the local network.
While this was in progress, another unrelated intruder used the Confluence vulnerability to install cryptominer malware.
Discovery and exfiltration of important data was then undertaken. An executable was dropped on the domain controller, with two variants used. These contained the following files:
- autoupdate.exe (the ransomware, detected as Troj/Ransom-GKL);
- autologin.exe, a Kernel Driver Utility hacktool;
- autologin.sys, a driver targeting Sophos services, including the file scanning service; and
- drv64.dll, a Kernel Driver Utility hacktool database, previously reported as part of a LockFile ransomware attack using the PetitPotam exploit.
The autologin.exe was used to map the autologin.sys driver to the kernel and, once loaded, protections against shutting down endpoint services could be bypassed.
The ransomware itself was then launched, and when it was detected by Intercept X’s CryptoGuard, the second attack executable was used to disable any protection.
Gallagher and Singh said though the initial vulnerability that allowed access to the attackers was only public for three weeks, patching was always a race for companies and at this time it was even more difficult due to the effects of the COVID lockdown.
"Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof-of-concept exploits for newly-revealed vulnerabilities and weaponising them rapidly to profit off them — as demonstrated by the evidence of two separate threat actors finding and exploiting the vulnerable Confluence server involved in this incident," they said.
"If the ransomware attack had not been discovered, the cryptocurrency miner on the server may have gone undiscovered."
Bill Kearny, Kajal Katiyar, Chaitanya Ghorpade and Rahil Shah were also credited with having played a role in the research.
Screenshots: courtesy Sophos