“This process accesses the external IP address to find new JAR files to continue exploit after exploit,” the researchers said. “These JAR files contain webshell-like functionality for persistence. We’ve seen attackers later delete these JAR files after execution to expand their attacks and remain stealthy.” The researchers noted that some of the files had already been deleted by the attackers before they were returned for analysis, but a log file called LexiCom.dbg will contain clues about the autorun files used. Attackers have also been seen performing Active Directory reconnaissance using nltest.exe, a command-line tool that exists on Windows Servers and is used to enumerate domain controllers.
Reduce by splitting servers
A possible workaround until a patch is available is to disable the Autorun directory feature in the Cleo software configuration. According to Huntress, this can be done by going to the “Configure” menu of the software, selecting “Options” and navigating to the “Other” pane where the contents of the “Autorun Directory” field should be made.
However, this will not prevent the exploitation of the random file upload vulnerability, so the best way, according to Rapid7, is to isolate the servers with the affected software from the Internet or put a firewall in front of them.
Source link