The Hacker NewsTHN:F25FAD25E15EBBE4934883ABF480294DIranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
A “potentially destructive actor” aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware.
Cybersecurity firm SentinelOne dubbed the group “TunnelVision” owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus as well as Charming Kitten and Nemesis Kitten.
“TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,” SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky said in a report, with the intrusions detected in the Middle East and the U.S.
Also observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw (CVE-2018-13379) and the Microsoft Exchange ProxyShell vulnerability to gain initial access into the target networks for post-exploitation.
“TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement,” the researchers said.
The PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that’s capable of gathering credentials and executing reconnaissance commands.
SentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called PowerLess that was disclosed by Cybereason researchers earlier this month.
All through the activity, the threat actor is said to have utilized a GitHub repository known as “VmWareHorizon” under the username “protections20” to host the malicious payloads.
The cybersecurity company said it’s associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that “there is at present insufficient data to treat them as identical to any of the aforementioned attributions.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N