CVE-2021-22941: Citrix ShareFile Remote Code Execution Vulnerability Exploited by PROPHET SPIDER


A notorious Initial Access Broker PROPHET SPIDER was found exploiting CVE-2021-22941 vulnerability to gain unauthorized access to a Microsoft Internet Information Services (IIS) webserver. Cybercriminals aim at breaching organizations’ security systems to block sensitive data and then sell access to ransomware groups.

Exploiting the abovementioned path-traversal vulnerability allows adversaries to deliver a webshell that would download further payloads. PROPHET SPIDER may also gain initial access through a renowned Log4j vulnerability

Explore the most recent detections made by SOC Prime Threat Bounty developers and detect PROPHET SPIDER’s activity earlier than they gain access to your networks.

CVE-2021-22941 Detection

To detect possible PROPHET SPIDER attacks against your sustems, check the list of detection rules below. Our content covers both Citrix ShareFile and Log4j in VMware vulnerability exploits.

To mitigate the malicious activity associated with PROPHET SPIDER, it is important to avoid initial access gaps leveraged by the infamous threat actor. We encourgage you to detect and address not just an RCE vulnerability (CVE-2021-22941) but also Log4j vulnerabilities in VMware Horizon tagged CVE-2021-44228, CVE-2021-45046, and CVE-2021-44832.

Suspicious PROPHET SPIDER Initial Access by Exploitation of CVE-2021-22941 to Deliver Webshell (via webserver)

PROPHET SPIDER Exploits Citrix ShareFile RCE Vulnerability (Post-exploitation)

Exploitation of the Log4j(CVE-2021-44228) vulnerability in VMware Horizon (via Scheduled Task Creation)

Prophet Spider with the exploitation of the Log4j(CVE-2021-44228) vulnerability in VMware Horizon (via cmdline)

Exploitation of the Log4j(CVE-2021-44228) vulnerability in VMware Horizon (via Scheduled Task Creation)

The rules are delivered by our Threat Bounty developers Emir Erdogan, Aytek Aytemur, and Nattatorn Chuensangarun.

Adepts at cybersecurity are more than welcome to join the Threat Bounty program to tap into the power of the community and get rewarded for their threat detection content.

View Detections Join Threat Bounty

CVE-2021-22941 Exploitation Details

The webshell deployed by adversaries uses known web-server vulnerabilities to download ransomware tools. The further specifications of the second-stage payloads may differ because attackers can choose which ones of them to use depending on their motivation. The payloads that were observed the most often include extortion, ransomware, and crypto mining.

PROPHET SPIDER threat actor has been operating since at least May 2017. They have been gaining access to the victims’ systems by exploiting known vulnerabilities in web servers. The latest activity seems no different from that, with the exception of a variety of second-stage payloads.

The latest known vulnerabilities frequently exploited by PROPHET SPIDER include:

  • CVE-2021-22941 affects Citrix ShareFile Storage Zones Controller to gain access to  a Microsoft IIS web server 
  • CVE-2021-44228, CVE-2021-45046, and CVE-2021-44832 affect known Log4j vulnerabilities in VMware Horizon

Once gained access to a targeted server, attackers overwrite the existing files with the help of uploaded parameters passed in an HTTP GET request. Then, they block the organizations’ data to resell it to other ransomware actors.

The following MITRE ATT&CK techniques and sub-techniques can be traced in this exploitation:

  • Initial Access (T1190) 
  • Execution (T1059.001) 
  • Persistence (T1505.003) 
  • Command and Control (T1071) 
  • Ingress Tool Transfer (T1105)

The detection content created by SOC Prime’s crowdsourcing contributors include behavior-based detections mapped to these TTPs.

Enhance your day-to-day SOC operations with the power of our global community of experienced threat detection experts continuously contributing to SOC Prime’s Detection as Code platform. Modern APTs continue growing their networks, therefore, dealing with constantly growing cyber threats is hardly possible if the organization is isolated in its own environment. Join our platform to stay in the know and detect cyber-attacks as soon as possible.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts