Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

VMware Horizon Servers Are Under Active Exploit By Iranian State Hackers (arstechnica.com) 17

An anonymous reader quotes a report from Ars Technica: Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said on Thursday. Security firm SentinelOne has dubbed the group TunnelVision. The name is meant to emphasize TunnelVision's heavy reliance on tunneling tools and the unique way it deploys them. In the past, TunnelVision has exploited so-called 1-day vulnerabilities -- meaning vulnerabilities that have been recently patched -- to hack organizations that have yet to install the fix. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group's better-known targets. [...] The SentinelOne research shows that the targeting continues and that this time the target is organizations running VMware Horizon, a desktop and app virtualization product that runs on Windows, macOS, and Linux.

Apache Tomcat is an open source Web server that VMware and other enterprise software use to deploy and serve Java-based Web apps. Once installed, a shell allows the hackers to remotely execute commands of their choice on exploited networks. The PowerShell used here appears to be a variant of this publicly available one. Once it's installed, TunnelVision members use it to: Execute reconnaissance commands; Create a backdoor user and adding it to the network administrators group; Harvest credentials using ProcDump, SAM hive dumps, and comsvcs MiniDump; and Download and run tunneling tools, including Plink and Ngrok, which are used to tunnel remote desktop protocol traffic.

The hackers use multiple legitimate services to achieve and obscure their activities. Those services include: transfer.sh, pastebin.com, webhook.site, ufile.io, and raw.githubusercontent.com. People who are trying to determine if their organization is affected should look for unexplained outgoing connections to these legitimate public services.

This discussion has been archived. No new comments can be posted.

VMware Horizon Servers Are Under Active Exploit By Iranian State Hackers

Comments Filter:
  • by Mononymous ( 6156676 ) on Friday February 18, 2022 @07:13PM (#62282049)

    Does the ransomware contain pro-Islamic Revolution text?
    Are they using Iranian government IP addresses?
    Are they government contractors?
    What's the link?

    • Re:Aligned hackers? (Score:4, Interesting)

      by Baconsmoke ( 6186954 ) on Friday February 18, 2022 @07:20PM (#62282067)
      So, I don't know the scenario here. I can say that when we have to deal with an external threat and are working with three letter organizations, the way that a foreign actor is discovered is often kept secret. It makes it easier to use those 'signatures' to find others. Once the info is out there, then a lot of hacker groups will close shop and re-open and then they have to be found all over again. This is just conjecture as I don't know why this story is so light on details.
    • Details here (Score:5, Informative)

      by raymorris ( 2726007 ) on Friday February 18, 2022 @09:36PM (#62282301) Journal

      Monica Witt, a US counterintelligence agent, defected to Iran. The Iranian government have her room and board in Iran. Then Iranian hackers started targeting her former co-workers.

      You can probably guess who in Iran would want to attack US Navy counterintelligence capabilities, and have the technical chops to do so.

      More information can be found in the indictment of Witt. Four Iranians were also indicted and additional details are in those indictments.

      https://www.justice.gov/usao-d... [justice.gov]

      I link to the indictment because that information has been officially unsealed by the federal court. I'm not revealing any secrets that way. :)

      • > You can probably guess who in Iran would want to attack US Navy counterintelligence capabilities,

        Besides "everyone"? The US is seen as a dangerously corrupt Western power in Iran, and as the source of the sanctions that limit their nuclear proliferation and hinder other parts of their economy.

        Monica Witt's defection is an interesting possibility as a trigger for recent activity, but the motives for Muslim anger with Christian nations and Jewish friendly societies dates back to Mohammed.

  • by Baconsmoke ( 6186954 ) on Friday February 18, 2022 @07:14PM (#62282053)
    Reading this makes me glad our entire VMware cluster is on a completely offline network. Doing manual upgrades does suck, but it makes security events like this far less scary.
  • You can have the latest Linux host or the latest VMware but not both.

  • by Anonymous Coward

    How do you know? I suspect this is just more war mongering

    • Do you have any particular reason to think that? Do you have some evidence that Witt is in some other country, that she left Iran?

      The indictments contain about 60 pages of evidence. On the other hand, you have - some idea completely out of your ass, based on nothing?

      More information can be found in the indictment of Witt. Four Iranians were also indicted and additional details are in those indictments.

      https://www.justice.gov/usao-d... [justice.gov]

      I link to the indictment because that information has been officially uns

  • Hackers aligned with the government of Iran, North Korea, Russia, Venezuela .. bla bla blaaa. Yet more neocon cyber BS from the Microsoft slashdot.
    • As if all the hacking and ransomware out there is just for the lols. Come on. There have to be reasons. Such as: make money, cause damage, gather intelligence, do surveillance, do espionage⦠If itâ(TM)s not a gang, syndicate, or group out for money, itâ(TM)s a nation hacking for their own interests. If not those two, itâ(TM)s probably an NGO group that isnâ(TM)t out for money but for activism. If none of all of that, people doing it for the lulz or got the challenge. In that o
  • I wish our government did something to fill budget holes.

Avoid strange women and temporary variables.

Working...