Article 5WA1C VMware Horizon Servers Are Under Active Exploit By Iranian State Hackers

VMware Horizon Servers Are Under Active Exploit By Iranian State Hackers

by
BeauHD
from Slashdot on (#5WA1C)
An anonymous reader quotes a report from Ars Technica: Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said on Thursday. Security firm SentinelOne has dubbed the group TunnelVision. The name is meant to emphasize TunnelVision's heavy reliance on tunneling tools and the unique way it deploys them. In the past, TunnelVision has exploited so-called 1-day vulnerabilities -- meaning vulnerabilities that have been recently patched -- to hack organizations that have yet to install the fix. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group's better-known targets. [...] The SentinelOne research shows that the targeting continues and that this time the target is organizations running VMware Horizon, a desktop and app virtualization product that runs on Windows, macOS, and Linux. Apache Tomcat is an open source Web server that VMware and other enterprise software use to deploy and serve Java-based Web apps. Once installed, a shell allows the hackers to remotely execute commands of their choice on exploited networks. The PowerShell used here appears to be a variant of this publicly available one. Once it's installed, TunnelVision members use it to: Execute reconnaissance commands; Create a backdoor user and adding it to the network administrators group; Harvest credentials using ProcDump, SAM hive dumps, and comsvcs MiniDump; and Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel remote desktop protocol traffic. The hackers use multiple legitimate services to achieve and obscure their activities. Those services include: transfer.sh, pastebin.com, webhook.site, ufile.io, and raw.githubusercontent.com. People who are trying to determine if their organization is affected should look for unexplained outgoing connections to these legitimate public services.

twitter_icon_large.pngfacebook_icon_large.png

Read more of this story at Slashdot.

External Content
Source RSS or Atom Feed
Feed Location https://rss.slashdot.org/Slashdot/slashdotMain
Feed Title Slashdot
Feed Link https://slashdot.org/
Feed Copyright Copyright Slashdot Media. All Rights Reserved.
Reply 0 comments