They then run further commands by means of PS reverse shells, executed via the Tomcat process. “Typically, the threat actor initially exploits the Log4j vulnerability to run PowerShell commands directly,” they added.
The attackers also deploy backdoors, create backdoor users, harvest credentials and perform lateral movement. “TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands,” they said. SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky explained the attack in a blog. Vulnerabilities in Fortinet FortiOS (CVE-2018-13379) and Microsoft Exchange (ProxyShell) are two of the group’s better-known targets. In the past, TunnelVision has exploited so-called 1-day vulnerabilities-meaning vulnerabilities that have been recently patched-to hack organizations that have yet to install the fix.
The name is meant to emphasize TunnelVision’s heavy reliance on tunneling tools and the unique way it deploys them. Security firm SentinelOne has dubbed the group TunnelVision.
Hackers aligned with the government of Iran are exploiting the critical Log4j vulnerability to infect unpatched VMware users with ransomware, researchers said this week. The state sponsored TunnelVision group exploits critical Log4j flaw to infect targets with ransomware.
0 kommentar(er)
