Content, Content

Alleged Iran-linked Cyber Attacker Exploiting Log4j Vulnerability in VMware Horizon Service

Blue sci-fi tunnel with digital symbols. Abstract futuristic technology concept. Computer generated graphic. 3D render with depth of field

Security researchers have found fresh evidence that another state-sponsored group allegedly is exploiting the Log4j vulnerability.

A ransomware threat actor allegedly linked to Iran is actively exploiting VMware Horizon’s virtual desktop platform, delivering “wide-exploitation” of one-day vulnerabilities in the U.S. and Middle East, a report said. This particular crew, dubbed TunnelVision by SentinelOne security researchers due to its “heavy reliance” on tunneling tools, is similar to other alleged Iranian cyber gangs in that it is primarily a ransomware operation.

To this point, the threat actors have been linked to exploits of Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell) and most recently Log4Shell. The attackers have exploited a Log4j vulnerability in the Tomcat service of VMware Horizon to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement, the researchers said.

The alleged TunnelVision attacks offer an important reminder to MSSPs and MSPs: Leverage scanners and vulnerability scanner tools to pinpoint and then close Log4j vulnerabilities both internally and for customers.

Along with China, North Korea and Russia, Iran is considered among the four most dangerous nation-state sponsored cyber extortionists worldwide. Managed security service providers would be well advised to regard TunnelVision as potentially a serious threat if only for its ransomware capabilities. Updating patches for clients would be in order.

“In almost all of those cases, the threat actor deployed a tunneling tool wrapped in a unique fashion,” wrote SentinelLabs researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky in a blog post. The most commonly deployed tunneling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink, the authors said.

Microsoft has been tracking TunnelVision’s activities as the hacking group Phosphorus, which in the 2020 Presidential election was tied to continuous attacks on the personal accounts of people associated with the Trump campaign. While Phosphorus is known for espionage campaigns targeting a wide variety of organizations tied to geopolitical, economic or human rights interests in the Middle East, it’s not clear if TunnelVision directs its attacks at similar targets. The crew has also been tracked by CrowdStrike as Charming Kitten, an advanced persistent threat actor also monitored by Mandiant, or Nemesis Kitten.

SentinelLabs, however, attributes the cluster of activity solely to TunnelVision, not because it believes the operators are “necessarily unrelated” to Phosphorus or Charming Kitten, but because at this point it isn’t clear that they are identical to those attackers.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.