Iranian Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
According to a security adversary from SentinelOne, an Iranian-Aligned threat actor “TunnelVision’ is actively exploiting VMware Horizon instances through the use of Log4J2 vulnerabilities.
TunnelVision’s activities are characterized by a wide-exploitation of 1-day vulnerabilities. During the time SentinelOne has tracked this actor, they have observed wide exploitation of Fortinet FortiOS (CVE-2018-13379), Microsoft Exchange (ProxyShell) and recently Log4Shell. In almost all of those cases, TunnelVision deployed a tunneling tool wrapped in a unique fashion.
The exploitation of Log4j in VMware Horizon is characterized by a malicious process spawned from the Tomcat service of the VMware product (located at C:\Program Files\VMware\VMware View\Server\bin\ws_TomcatService.exe).
TunnelVision attackers have actively exploited the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement across the affected networks.
Usually, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly, and then runs future commands by means of PS reverse shells, executed via the Tomcat process of VMware Horizon.
The best way to get ahead of these types of attacks is by securing and patching your VMware Horizon instances before they are compromised.