VMware Horizon servers are actively exploited by Iranian state hackers


Hackers aligned with the Iranian government are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said Thursday.

Security company SentinelOne dubbed the group TunnelVision. The name is meant to emphasize TunnelVision’s heavy reliance on tunneling tools and the unique way it deploys them. In the past, TunnelVision has exploited so-called day-old vulnerabilities, meaning vulnerabilities that have been recently patched, to hack into organizations that have not yet installed the patch. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group’s best-known targets.

Enter Log4Shell

Recently, SentinelOne reported that TunnelVision began exploiting a critical vulnerability in Log4j, an open-source logging utility embedded in thousands of applications. CVE-2021-44228 (or Log4Shell, as the vulnerability is tracked or dubbed) allows attackers to easily take remote control of computers running applications in the Java programming language. The bug has bitten the internet’s biggest players and has been widely targeted in the wild after it became known.

SentinelOne research shows that the targeting continues and this time the target is organizations running VMware Horizon, a desktop and application virtualization product that runs on Windows, macOS and Linux.

“TunnelVision attackers actively exploited the vulnerability to execute malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials, and perform lateral movements,” the Amitai researchers wrote. Ben Shushan Ehrlich and Yair Rigevsky in an article. “Typically, the threat actor initially exploits the Log4j vulnerability to execute PowerShell commands directly, and then executes other commands through PS reverse shells, executed through the Tomcat process.”

Apache Tomcat is an open source web server that VMware and other enterprise software use to deploy and serve Java-based web applications. Once installed, a shell allows attackers to remotely execute commands of their choosing on exploited networks. The PowerShell used here appears to be a publicly available variant of it. Once installed, TunnelVision members use it to:

  • Execute recognition commands
  • Create a backdoor user and add it to the network administrators group
  • Collect Credentials Using ProcDump, SAM Hive Dumps, and comsvcs MiniDump
  • Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel Remote Desktop Protocol traffic

Hackers use several legitimate services to perform and hide their activities. These services include:

  • transfer.sh
  • pastebin.com
  • webhook.site
  • ufile.io
  • raw.githubusercontent.com

People trying to determine if their organization is affected should look for unexplained outbound connections to these legitimate utilities.

Tunnels, minerals and kittens

Thursday’s report says TunnelVision overlaps with several groups of threats exposed by other researchers over the years. Microsoft dubbed a band Phosphorous. The group, Microsoft reported, attempted to hack into a US presidential campaign and install ransomware in an effort to generate revenue or disrupt opponents. The federal government also said that Iranian hackers had targeted critical infrastructure in the United States with ransomware.

SentinelOne said TunnelVision also overlaps with two threat groups security firm CrowdStrike tracks as Charming Kitten and Nemesis Kitten.

“We are tracking this cluster separately as ‘TunnelVision,'” the SentinelOne researchers wrote. “This does not mean that we believe they are necessarily unrelated, only that there is currently insufficient data to treat them as identical to any of the aforementioned attributions.”

The message provides a list of indicators that administrators can use to determine if they have been compromised.


Comments are closed.