Attackers exploit zero-day RCE flaw in Cleo managed file transfer

“This process reaches out to an external IP address to retrieve new JAR files for continued post-exploitation,” the researchers said. “These JAR files contain webshell-like functionality for persistence on the endpoint. We observed attackers later deleting these JAR files post-execution in order to prolong their attacks and stay relatively stealthy.” The researchers noted that some files had already been deleted by the attackers before they could be recovered for analysis, but a log file called LexiCom.dbg will contain traces about the autorun files that have been executed. The attackers were also seen performing Active Directory reconnaissance by using nltest.exe, a command-line tool present on Windows Servers and used to enumerate domain controllers.

Mitigate by isolating servers

One possible mitigation until a patch is available is to disable the Autorun directory feature in the Cleo software configuration. According to Huntress, this can be done by going to the “Configure” menu of the software, selecting “Options” and navigating to the “Other” pane where the contents of the “Autorun Directory” field should be removed.

However, this will not prevent the exploitation of the arbitrary file upload vulnerability, so the best approach, according to Rapid7, is to isolate servers with the affected software from the internet or put a firewall in front of them.