Over the past few weeks, an Iran-linked threat actor has been targeting VMware Horizon servers by exploiting the well-known Log4j flaw, in order to run malicious PowerShell commands, deploy backdoors, harvest credentials and perform lateral movement.
After the Log4j vulnerability (CVE-2021-44228) was first revealed in December, VMware released builds with patches that address the flaw impacting its Horizon servers and “highly recommended” that customers install the updates. Still, exploitation attempts have continued over the past two months, with a report this week revealing that Google Cloud is still seeing 400,000 scans a day for systems vulnerable to the flaw.
Researchers with SentinelLabs dubbed this recent malicious activity cluster “TunnelVision,” due to the attacker relying heavily on DNS tunneling tools. In addition to exploiting the Log4j flaw, researchers said that the threat actor involved in this activity has also previously exploited a flaw in Fortinet FortiOS (CVE-2018-13379) and the Microsoft Exchange set of ProxyShell vulnerabilities in operations targeting organizations in the Middle East and the U.S.
“Much like other Iranian threat actors operating in the region lately, TunnelVision’s activities were linked to deployment of ransomware, making the group a potentially destructive actor,” according to Amitai Ben Shushan Ehrlich, threat intelligence researcher with SentinelLabs on Thursday.
Attackers targeted the Apache Tomcat service on VMware Horizon servers, in a move similar to previous Log4Shell attacks observed in January that were launched by an unidentified threat group. In this more recent spate of attacks, “typically, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly, and then runs further commands by means of [PowerShell] reverse shells, executed via the Tomcat process,” said researchers.
Researchers observed two PowerShell reverse shells being executed following the Log4Shell exploitation. One of these is a previously observed custom backdoor that leverages a domain used to host malicious payloads and drops an additional executable file that contains an obfuscated version of a reverse shell. The second PowerShell backdoor appears to be a modified variant of a publicly available PowerShell called Nishang, which has several capabilities. These functionalities include executing reconnaissance commands, creating a backdoor user and adding it to the administrators group, credential harvesting (using tools like Procdump and comsvcs MiniDump), downloading and executing tunneling tools, executing a reverse shell and scanning ports.
In almost all of its campaigns, the threat actor deployed tools that allowed for DNS tunneling, a type of attack where the DNS protocol is leveraged to implement a command-and-control channel for malware. The most commonly deployed tunneling tools used by the group include Fast Reverse Proxy Client (FRPC), Ngrok and Plink, said researchers.
TunnelVision’s activities have overlaps with previous other activity clusters, including Phosphorus (so-called by Microsoft). However, researchers said, “we track this cluster separately under the name ‘TunnelVision.’ This does not imply we believe they are necessarily unrelated, only that there is at present insufficient data to treat them as identical to any of the aforementioned attributions,” they said.
Researchers have closely followed the threat activity against the Log4j flaw, in January noting APT35 was exploiting the vulnerability in order to deploy modular, PowerShell-based malware, as well as a China-based ransomware operator targeting the vulnerability in internet-facing systems running VMware Horizon.