A “potentially destructive actor” aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware.
Cybersecurity firm SentinelOne dubbed the group “TunnelVision” owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus as well as Charming Kitten and Nemesis Kitten.
“TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,” SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky said in a report, with the intrusions detected in the Middle East and the U.S.
Also observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw (CVE-2018-13379) and the Microsoft Exchange ProxyShell vulnerability to gain initial access into the target networks for post-exploitation.
“TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement,” the researchers said.
images from Hacker News