“This course of reaches out to an exterior IP handle to retrieve new JAR recordsdata for continued post-exploitation,” the researchers mentioned. “These JAR recordsdata include webshell-like performance for persistence on the endpoint. We noticed attackers later deleting these JAR recordsdata post-execution to be able to delay their assaults and keep comparatively stealthy.” The researchers famous that some recordsdata had already been deleted by the attackers earlier than they might be recovered for evaluation, however a log file known as LexiCom.dbg will include traces in regards to the autorun recordsdata which were executed. The attackers had been additionally seen performing Lively Listing reconnaissance by utilizing nltest.exe, a command-line software current on Home windows Servers and used to enumerate area controllers.
Mitigate by isolating servers
One doable mitigation till a patch is out there is to disable the Autorun listing function within the Cleo software program configuration. In accordance with Huntress, this may be achieved by going to the “Configure” menu of the software program, deciding on “Choices” and navigating to the “Different” pane the place the contents of the “Autorun Listing” discipline needs to be achieved.
Nevertheless, this won’t forestall the exploitation of the arbitrary file add vulnerability, so the perfect strategy, based on Rapid7, is to isolate servers with the affected software program from the web or put a firewall in entrance of them.
