A threat group named Prophet Spider has exploited an RCE vulnerability in Citrix ShareFile to compromise Microsoft's Internet Information Services (IIS) webserver.

About the attack

According to the CrowdStrike report, Prophet Spider has been evolving its tactics to exploit known web-server vulnerabilities.
  • Recently, the adversary exploited the vulnerability (CVE-2021-22941) to deploy a webshell to download additional tools. 
  • For initial access, the adversary sends an HTTP POST request to an IIS server by using the user agent python-requests/2.26.0. 
  • After achieving initial access, the adversary uses a certain command to test connectivity and if successful, performs a name lookup on a subdomain of burpcollaborator[.]net.

The exploited flaw

In September 2021, the relative path-traversal vulnerability (CVE-2021-22941) was disclosed in ShareFile Zones Storage Controller. Later, researchers also presented a proof-of-concept (POC) exploit for the CVE.
  • The flaw allows overwriting an existing file on a target server using the uploadid parameter in an HTTP GET request.
  • Some cybercriminals created fully weaponized exploits for CVE-2021-22941 and proliferated since mid-October 2021.

A backdrop into Prophet Spider

Prophet Spider is an eCrime group active since May 2017. It is known for gaining access to victims by targeting vulnerable web servers, which commonly include publicly disclosed vulnerabilities. It has previously been observed exploiting Oracle WebLogic server flaws.

Conclusion

Prophet Spider is known for abusing publicly disclosed server vulnerabilities to deliver web shells. This recent exploitation shows how persistently a threat group evolves to target different exploit code. Thus, organizations are advised to always follow a proper patch management program.
Cyware Publisher

Publisher

Cyware