Photo credit: www.csoonline.com
Researchers have identified a significant method of cyber exploitation involving the retrieval of JAR files from external IP addresses, which play a crucial role in maintaining a persistent presence on compromised endpoints. These JAR files exhibit webshell-like properties that facilitate ongoing access for the attackers. Notably, the attackers have been observed deleting these files post-execution as a tactic to obscure their activities and prolong the intrusion while minimizing detection. Some of these files have already been removed before they could be analyzed; however, a log file named LexiCom.dbg remains available, potentially containing information on executed autorun files. Additionally, the attackers utilized nltest.exe, a command-line tool commonly found on Windows Servers, to conduct reconnaissance activities involving Active Directory. This tool allows them to enumerate domain controllers and gather vital information regarding the network’s structure.
Mitigate by Isolating Servers
In light of the vulnerabilities identified, experts suggest several mitigative steps to be taken while awaiting a comprehensive software patch. One immediate action is to disable the Autorun directory feature within the Cleo software settings. This can be achieved by navigating to the “Configure” menu, selecting “Options,” and adjusting the settings found in the “Other” section to clear the contents of the “Autorun Directory” field.
It’s important to note, however, that while this action may help reduce risks, it does not eliminate the threat posed by the arbitrary file upload vulnerability itself. As such, security professionals from Rapid7 recommend a more robust defense strategy: isolating servers running the affected software from the internet. This can involve implementing a firewall to create a protective barrier, thereby mitigating potential external attacks and enhancing the overall security posture of the network.
Source
www.csoonline.com