The VMware Horizon Log4j vulnerability
In an effort to infect unpatched VMware Horizon servers with ransomware, a “potentially harmful actor” affiliated with the Iranian government is aggressively exploiting the well-known Log4j vulnerability.
The organization was called “TunnelVision” by cybersecurity company SentinelOne because of its significant dependence on tunneling technologies. The group’s techniques were noted to be similar to those of a bigger group monitored under the codename Phosphorus, also known as Charming Kitten and Nemesis Kitten.
In a statement, the cybersecurity company explained that it is associating the attacks with a different Iranian cluster not because they are unconnected, but rather because there is now insufficient information available to classify them as identical to any of the attributions already described.
TunnelVision attacks, according to what SentinelOne experts have explained in a study, are characterized by widespread exploitation of one-day vulnerabilities in target locations, with attacks detected detected in the Middle East and the United States.
It was also noted that the Fortinet FortiOS path traversal weakness (CVE-2018-13379) and the Microsoft Exchange ProxyShell vulnerability were being used in conjunction with Log4Shell in order to acquire initial access into target networks for the purpose of post-exploitation.
Researchers discovered that attackers have been actively exploiting the vulnerability to run malicious PowerShell operations, deploy backdoors, create backdoor users, collect passwords, and undertake lateral movement via the TunnelVision system, according to the study that was published.
As part of its analysis, SentinelOne discovered parallels between the method used to run the reverse web shell and a PowerShell-based implant known as PowerLess, which was reported earlier this month by Cybereason researchers.
PowerShells are typically used as a means to download tools such as Ngrok and execute further commands using reverse shells, which are then used to deploy a PowerShell backdoor that is capable of collecting credentials and running reconnaissance tasks on the victim’s computer.
More details reveal that while carrying out the malicious payload distribution, the threat actor is believed to have made use of a GitHub repository known as “VmWareHorizon” under the identity “protections20” to host the malicious payloads.