CySecurity News – Latest Information Security and Hacking Incidents
Security researchers at CrowdStrike Intelligence have examined an incident in which PROPHET SPIDER abused a remote code execution (RCE) bug affecting Citrix ShareFile Storage Zones Controller to exploit one of Microsoft Internet Information Services (IIS) webservers. Threat actors exploited the flaw to install a web shell that enabled the downloading of additional weapons.
Last year in September, Citrix discovered a relative path-traversal bug in ShareFile Zones Storage Controller, tracked CVE-2021-22941. The vulnerability allows malicious actors to overwrite an existing file on a target server via an upload id parameter passed in an HTTP GET request.
On Jan. 10, 2022, CrowdStrike received HTTP POST request from PROPHET SPIDER on its Falcon® platform customer. Threat actors requested to upload three web requests:
●Targeting upload.aspx
●Containing encoded strings for ../ and ConfigService\Views\Shared\Error.cshtml in the URL parameters
●And, contain &bp=123&accountid=123 if the attacker has not customized the payload
The URI endpoint /upload.aspx is used for ShareFile uploads and usually comes with parameters to define upload object specifications, such as uploadid, cid or batched.
PROPHET SPIDER is Abusing Citrix ShareFile Remote Code Execution Bug to Deploy Webshell