VMware Horizon Log4j

A "potentially destructive actor" aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware.

Cybersecurity firm SentinelOne dubbed the group "TunnelVision" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus as well as Charming Kitten and Nemesis Kitten.

Automatic GitHub Backups

"TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions," SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky said in a report, with the intrusions detected in the Middle East and the U.S.

Also observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw (CVE-2018-13379) and the Microsoft Exchange ProxyShell vulnerability to gain initial access into the target networks for post-exploitation.

"TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement," the researchers said.

Prevent Data Breaches

The PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that's capable of gathering credentials and executing reconnaissance commands.

SentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called PowerLess that was disclosed by Cybereason researchers earlier this month.

All through the activity, the threat actor is said to have utilized a GitHub repository known as "VmWareHorizon" under the username "protections20" to host the malicious payloads.

The cybersecurity company said it's associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that "there is at present insufficient data to treat them as identical to any of the aforementioned attributions."


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.