CVE-2021-22941 – Prophet Spider, Prophet Spider, Does Whatever A Threat Group Does.

Share This Post

While the ShareFile remote code execution vulnerability (CVE-2021-22941) is not new, the current newsworthy threat is that the Advanced Persistent Threat (APT) group Prophet Spider is currently exploiting the vulnerability in the wild.

What is it?

CVE-2021-22941 is a remote code execution that allows an unauthenticated attacker to remotely compromise the storage zones controller. Security researchers are currently witnessing Prophet Spider exploiting the vulnerability to drop web shells. Like other vulnerabilities that resulted in web shells being deployed (think ProxyLogon) this would allow an attacker to run commands in System context, likely the end result leading to ransom. In addition, there are publicly available exploit scripts for anyone to start exploiting this vulnerability.

What can you do?

First things first, verify your Citrix ShareFile storage zones controller is 5.11.20 or newer. Once that is accomplished, threat hunting in IIS logs is recommended for the following:

  • Target upload.aspx
  • Log entries that contain encoded strings for “../" and “ConfigService\Views\Shared\Error.cshtml" in the URL parameters
  • May contain &bp=123&accountid=123 if the attacker has not customized the payload

If you are unsure how to accomplish this or see signs of further compromise please reach out the FRSecure CSIRT (csirt@frsecure.com) or your preferred security vendor for help. Prophet Spider is known to be an access broker that sells ingress access to ransom groups, so there could be time to remediate before the worst case scenario.

Indicators of Compromise (IOCs)

DescriptionIP Addresses
Site hosting wget.bin and winn.exe45.61.136[.]39
Callback destination for ConPtyShell reverse shell107.181.187[.]184
Source observed exploiting CVE-2021-22941
188.119.149[.]160
Site hosting ConPtyShell reverse shell
hxxps[:]//raw.githubusercontent[.]com
/antonioCoco/ConPtyShell/master
/Invoke-ConPtyShell.ps1

Sources

https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22941

https://support.citrix.com/article/CTX328123

https://nvd.nist.gov/vuln/detail/CVE-2021-22941



Reach out to our incident response team for help

More To Explore

Information Security News 9-30-2024

NIST Drops Password Complexity, Mandatory Reset Rules Article Link: https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules Hacker Plants False Memories in ChatGPT to Steal User Data in Perpetuity Article Link: https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.