Prophet Spider exploits CVE-2021-22941

Industry: N/A | Level: Tactical | Source: CrowdStrike

CrowdStrike intelligence provides research of a recent attack by the threat group, Prophet Spider. The threat adversary exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impacting Citrix ShareFile Storage Zones Controller — to compromise a Microsoft Internet Information Services (IIS) web server. "From the exploit, the threat actors were able to upload a webshell to the IIS server." Following the exploitation, the attacker checked for connectivity using nslookup and utilized PowerShell with encoded and invoke-expression commands to download additional files. The threat group's preference for downloading and utilizing the "wget" utility has been observed in various operations.

• Anvilogic Scenario: Prophet Spider - Initial Setup Activity
• Anvilogic Use Cases:
• Web Application File Upload
• Common Reconnaissance Commands
• Common Application Security Testing Tools
• Encoded Powershell Command
• Executable File Written to Disk
• Invoke-WebRequest Command
• Invoke-Expression Command