TunnelVision Threat Actor Exploits Log4Shell Vulnerability in VMware Horizon Servers
- Actor Motivations: Exfiltration
- Attack Vectors: Vulnerability Exploitation,Zero-Day Attack,Malware
- Attack Complexity: Very High
- Threat Risk: High Impact/Low Probability
Threat Overview
In early February 2022, the TunnelVision threat actor exploited a vulnerable VMware Horizon server using the Log4Shell vulnerability (CVE-2021-44228) to gain unauthorized access. The attack involved suspicious account creation, credential harvesting, and lateral movement using PSexec and RDP. The adversaries also harvested credentials using Procdump and downloaded Sysinternals and SSH tools. The intrusion was attributed to the Iranian-aligned TunnelVision activity cluster, based on observed TTPs and artifacts. The targeted sectors and countries are not specified in the report.
Extracted IOCs
- activate-microsoft[.]cf
- microsoft-updateserver[.]cf
- 142[.]44.135.86
Tip: 3 related IOCs (1 IP, 2 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
Source: Secureworks - December 2022
Detection (one case): activate-microsoft[.]cf
Source: Deep Instinct - June 2022
Detection (one case): microsoft-updateserver[.]cf
Source: Secureworks - May 2022
Detection (one case): microsoft-updateserver[.]cf
Source: SentinelLabs - February 2022
Detection (one case): 142[.]44.135.86
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.