Iranian hackers target VMware Horizon servers with Log4j exploits

TunnelVision, an Iranian-affiliated hacker group, was detected attacking Log4j on VMware Horizon servers to compromise corporate networks in the Middle East and the United States. Cyber security experts who have been monitoring the activity picked the moniker due to the group’s significant use on tunnelling tools, which enable them to conceal their operations from detection. Tunnelling is the process of obfuscating or even concealing data flow during its transmission.

TunnelVision’s goal appears to be the distribution of ransomware, indicating that the gang is not just interested in cyber espionage but also in data destruction and operational disruption. TunnelVision initially targeted CVE-2018-13379 (Fortinet FortiOS), a series of Microsoft Exchange Proxy Shell vulnerabilities, and has recently shifted its focus to the Log4Shell attack.

The target deployments are VMware Horizon servers that are vulnerable to Log4j issues that are trivial to exploit. The exploit procedure is identical to that described by the NHS in a January 2022 security bulletin, and it entails the direct execution of PowerShell commands and the activation of reverse shells via the Tomcat service. While the PowerShell commands assist adversaries in collecting outputs via a webhook, all connections make use of one of the following authorized services:

  • sh
  • com
  • site
  • io
  • githubusercontent.com

TunnelVision was seen deploying two custom reverse shell backdoors onto compromised PCs by the researchers. The first payload is a zip file containing an executable called “InteropServices.exe.” This executable contains an obfuscated reverse shell beaconing to “microsoft-updateserver[.]cf.”

The second payload, which threat actors have primarily employed in recent attempts, is a modified version of a one-line PowerShell script published on GitHub.

TunnelVision makes the following use of this second backdoor:

  • Carry out recon directives.
  • Create users for the backdoor and add them to the administrators group.
  • Procdump, SAM hive dumps, and comsvcs MiniDump are used to harvest credentials.
  • Install and run tunnelling programmes, such as Plink and Ngrok, that are used to tunnel RDP traffic.
  • A reverse shell is executed using the VMware Horizon NodeJS component.
  • Utilize a publicly available port scan script to conduct RDP scans on the internal subnet.

 

While TunnelVision shares some parallels and overlaps with other Iranian hacker groups, Cyber security researchers classifies the group’s behavior as unique from the others. “TunnelVision actions have been discussed earlier and are being tracked by other vendors under a variety of names, including Phosphorus (Microsoft) and, more perplexingly, Charming Kitten or Nemesis Kitten (CrowdStrike),”.

“This confusion arises because behavior classified by Microsoft as “Phosphorous” overlaps with activity classified by CrowdStrike as belonging to two distinct actors, Charming Kitten and Nemesis Kitten.” As the researchers conclude, while the idea of a linkage between these groups cannot be ruled out, there is currently insufficient data to suggest any connections.

 

Remediation Action:

  1. Isolate the Infection: Prevent infection spread by isolating infected computers from other infected machines, shared storage, and the network.
  2. Identify the Infection: Determine the malware strain you are dealing with using messages, evidence on the machine, and identification tools.
  3. Report: Submit a report to the authorities to garner support for and coordination of counterattack measures.
  4. Consider Your Options: You have a variety of options for treating the infection. Choose the approach that is most appropriate for you.
  5. Restore and Refresh: Restore your computer or outfit a new platform using safe backups and application and software sources.
  6. Plan to Prevent Recurrence: Assess how the illness arose and what you can do to prevent it from happening again.

Security experts recommend numerous preventative actions to avoid being a victim of ransomware.

  1. Use anti-virus and anti-malware software, as well as other security rules, to prevent the execution of known payloads.
  2. Maintain frequent, complete backups of all critical files and isolate them from local and public networks.
  3. Users can preserve truly air-gapped backups using immutable backup solutions such as Object Lock. The data is irreversible and cannot be removed within the time period specified by the end user. With immutability enabled on essential data, you may swiftly restore virus-free data from immutable backups, deploy them, and resume business operations without interruption.
  4. Maintain offline backups of data stored in areas that are unavailable from any possibly infected machine, such as disconnected external storage drives or the cloud, to prevent the ransomware from accessing them.
  5. Apply the most recent security updates supplied by the makers of your operating system and applications. Remember to patch operating systems, browsers, and web plugins early and frequently to address known vulnerabilities.
  6. Consider adopting security software to guard against infection on endpoints, email servers, and network systems.
  7. Practice good cyber hygiene, which includes exercising caution when opening email attachments and links.
  8. Segment your networks to isolate key machines and prevent malware transmission in the event of an attack. Disable unused network shares.
  9. Disable administrator privileges for users who do not require them. Allow users to have the fewest system rights necessary to do their tasks.
  10. As much as feasible, restrict write permissions on file servers.
  11. Educate yourself, your colleagues, and your family about malware prevention best practices. Keep everyone informed about the latest email phishing scams and human engineering schemes designed to convert victims into abettors.