Security Market Segment LS
Tuesday, 05 October 2021 12:15

Sophos team finds new ransomware using Confluence hole in attack

Sophos team finds new ransomware using Confluence hole in attack Image by David Mark from Pixabay

Researchers from global security firm Sophos have detailed how a relatively new Windows ransomware group known as Atom Silo carried out an attack over two days, initially using a flaw in Atlassian's Confluence collaboration software.

Senior threat researcher Sean Gallagher and his colleague Vikas Singh said a second backdoor was used in the attack, though they did not specify which software was the entry point, only saying three files were used, one being "a legitimate, signed executable from a third-party software provider that is vulnerable to an unsigned DLL sideload attack".

The DLL spoofed a library needed by the application's executable and was placed in the same folder on the targeted server as the vulnerable executable.

"This attack technique, known as DLL search order hijacking (ATT&CK T1574.001), is a well-worn technique recently observed in LockFile ransomware attacks leveraging the ProxyShell vulnerability," Gallagher and Singh wrote in their detailed blog post.

The DLL was used to decrypt and load the second backdoor from the third file, mfc.ini, which then connected to one of a number of hardcoded hostnames.

After this loaded, Windows shell commands could be executed remotely through the Windows Management Interface.

atomsilo warning

Lateral movement was then undertaken by the intruders and a number of additional servers were compromised in the next five hours. Information was gathered from the logs of the compromised servers: user credentials, accounts that were locked out and characteristics of the local network.

While this was in progress, another unrelated intruder used the Confluence vulnerability to install cryptominer malware.

Discovery and exfiltration of important data was then undertaken. An executable was dropped on the domain controller, with two variants used. These contained the following files:

  • autoupdate.exe (the ransomware, detected as Troj/Ransom-GKL);
  • autologin.exe, a Kernel Driver Utility hacktool;
  • autologin.sys, a driver targeting Sophos services, including the file scanning service; and
  • drv64.dll, a Kernel Driver Utility hacktool database, previously reported as part of a LockFile ransomware attack using the PetitPotam exploit.

The autologin.exe was used to map the autologin.sys driver to the kernel and, once loaded, protections against shutting down endpoint services could be bypassed.

The ransomware itself was then launched, and when it was detected by Intercept X’s CryptoGuard, the second attack executable was used to disable any protection.

atom silo2

Gallagher and Singh said though the initial vulnerability that allowed access to the attackers was only public for three weeks, patching was always a race for companies and at this time it was even more difficult due to the effects of the COVID lockdown.

"Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof-of-concept exploits for newly-revealed vulnerabilities and weaponising them rapidly to profit off them — as demonstrated by the evidence of two separate threat actors finding and exploiting the vulnerable Confluence server involved in this incident," they said.

"If the ransomware attack had not been discovered, the cryptocurrency miner on the server may have gone undiscovered."

Bill Kearny, Kajal Katiyar, Chaitanya Ghorpade and Rahil Shah were also credited with having played a role in the research.

Screenshots: courtesy Sophos

Read 1528 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News