While the ShareFile remote code execution vulnerability (CVE-2021-22941) is not new, the current newsworthy threat is that the Advanced Persistent Threat (APT) group Prophet Spider is currently exploiting the vulnerability in the wild.
What is it?
CVE-2021-22941 is a remote code execution that allows an unauthenticated attacker to remotely compromise the storage zones controller. Security researchers are currently witnessing Prophet Spider exploiting the vulnerability to drop web shells. Like other vulnerabilities that resulted in web shells being deployed (think ProxyLogon) this would allow an attacker to run commands in System context, likely the end result leading to ransom. In addition, there are publicly available exploit scripts for anyone to start exploiting this vulnerability.
What can you do?
First things first, verify your Citrix ShareFile storage zones controller is 5.11.20 or newer. Once that is accomplished, threat hunting in IIS logs is recommended for the following:
- Target
upload.aspx
- Log entries that contain encoded strings for “
../"
and “ConfigService\Views\Shared\Error.cshtml"
in the URL parameters - May contain
&bp=123&accountid=123
if the attacker has not customized the payload
If you are unsure how to accomplish this or see signs of further compromise please reach out the FRSecure CSIRT (csirt@frsecure.com) or your preferred security vendor for help. Prophet Spider is known to be an access broker that sells ingress access to ransom groups, so there could be time to remediate before the worst case scenario.
Indicators of Compromise (IOCs)
Description | IP Addresses |
Site hosting wget.bin and winn.exe | 45.61.136[.]39 |
Callback destination for ConPtyShell reverse shell | 107.181.187[.]184 |
Source observed exploiting CVE-2021-22941 |
|
Site hosting ConPtyShell reverse shell |
|
Sources
https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22941
https://support.citrix.com/article/CTX328123
https://nvd.nist.gov/vuln/detail/CVE-2021-22941