2 min

Tags in this article

, , ,

The state sponsored TunnelVision group exploits critical Log4j flaw to infect targets with ransomware.

Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said this week.

Security firm SentinelOne has dubbed the group TunnelVision. The name is meant to emphasize TunnelVision’s heavy reliance on tunneling tools and the unique way it deploys them. In the past, TunnelVision has exploited so-called 1-day vulnerabilities—meaning vulnerabilities that have been recently patched—to hack organizations that have yet to install the fix. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group’s better-known targets.

SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky explained the attack in a blog. “TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands,” they said. The attackers also deploy backdoors, create backdoor users, harvest credentials and perform lateral movement.

“Typically, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly,” they added. They then run further commands by means of PS reverse shells, executed via the Tomcat process.

The SentinelOne research shows that the targeting continues and that this time the target is organizations running VMware Horizon, a desktop and app virtualization product that runs on Windows, macOS, and Linux.

Other vendors track TunnelVision activities under a variety of names, they explain. These include Phosphorus (Microsoft) and, confusingly, either Charming Kitten or Nemesis Kitten (CrowdStrike).

“We track this cluster separately under the name “TunnelVision”. This does not imply we believe they are necessarily unrelated, only that there is at present insufficient data to treat them as identical to any of the aforementioned attributions.”

Tip: ‘Log4j in VMware Horizon is being exploited by access brokers’