“This course of reaches out to an exterior IP tackle to retrieve new JAR information for continued post-exploitation,” the researchers stated. “These JAR information comprise webshell-like performance for persistence on the endpoint. We noticed attackers later deleting these JAR information post-execution so as to extend their assaults and keep comparatively stealthy.” The researchers famous that some information had already been deleted by the attackers earlier than they might be recovered for evaluation, however a log file known as LexiCom.dbg will comprise traces concerning the autorun information which were executed. The attackers had been additionally seen performing Energetic Listing reconnaissance through the use of nltest.exe, a command-line device current on Home windows Servers and used to enumerate area controllers.
Mitigate by isolating servers
One doable mitigation till a patch is accessible is to disable the Autorun listing function within the Cleo software program configuration. In line with Huntress, this may be accomplished by going to the “Configure” menu of the software program, choosing “Choices” and navigating to the “Different” pane the place the contents of the “Autorun Listing” area ought to be eliminated.
Nevertheless, this is not going to forestall the exploitation of the arbitrary file add vulnerability, so the most effective strategy, in accordance with Rapid7, is to isolate servers with the affected software program from the web or put a firewall in entrance of them.
