Create backdoor users and add them to the administrators’ group.TunnelVision relies on this second backdoor to perform the following actions: Second reverse-shell used in most attacks (Sentinel Labs) The second payload, which was predominately used by the threat actors in recent attacks, is a modified version of a one-liner PowerShell available on GitHub. The first payload is a zip file that contains an executable named “InteropServices.exe,” which contains an obfuscated reverse shell beaconing to “microsoft-updateservercf.” SentinelLabs observed TunnelVision dropping two custom reverse shell backdoors onto compromised machines.Īlso Read: Data Anonymisation: Managing Personal Data Protection Risk The PowerShell commands help the adversaries in retrieving outputs using a webhook, while all connections employ one of the following legitimate services:ĭownloading ngrok to a compromised VMware server (Sentinel Labs) Backdoors The exploitation process is the same as what the NHS detailed in a January 2022 security bulletin, which involves the direct execution of PowerShell commands and the activation of reverse shells via the Tomcat service. The target deployments are VMware Horizon servers vulnerable to the easy-to-exploit Log4j flaws. TunnelVision has previously targeted CVE-2018-13379 (Fortinet FortiOS), a Microsoft Exchange ProxyShell vulnerability set, and has now turned to the Log4Shell exploit. The ultimate goal of TunnelVision appears to be the deployment of ransomware, so the group is not focused on cyber espionage alone but data destruction and operational disturbance too.Īlso Read: Data Protection Trustmark Certification: Business Advantage Target flaws Tunneling is the process of routing data traffic in such a way that its transmission becomes obfuscated or even hidden. Security analysts at SentinelLabs who have been tracking the activity chose that name due to the group’s heavy reliance on tunneling tools, which help them hide their activities from detecting solutions. Iranian Hackers Target VMware Horizon Servers with Log4j ExploitsĪn Iranian-aligned hacking group tracked as TunnelVision was spotted exploiting Log4j on VMware Horizon servers to breach corporate networks in the Middle East and the United States.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |