![]() ![]() Utilize a publicly available port scan script to conduct RDP scans on the internal subnet.A reverse shell is executed using the VMware Horizon NodeJS component.Install and run tunnelling programmes, such as Plink and Ngrok, that are used to tunnel RDP traffic.Procdump, SAM hive dumps, and comsvcs MiniDump are used to harvest credentials.Create users for the backdoor and add them to the administrators group.TunnelVision makes the following use of this second backdoor: The second payload, which threat actors have primarily employed in recent attempts, is a modified version of a one-line PowerShell script published on GitHub. The first payload is a zip file containing an executable called “InteropServices.exe.” This executable contains an obfuscated reverse shell beaconing to “microsoft-updateservercf.” TunnelVision was seen deploying two custom reverse shell backdoors onto compromised PCs by the researchers. While the PowerShell commands assist adversaries in collecting outputs via a webhook, all connections make use of one of the following authorized services: The exploit procedure is identical to that described by the NHS in a January 2022 security bulletin, and it entails the direct execution of PowerShell commands and the activation of reverse shells via the Tomcat service. The target deployments are VMware Horizon servers that are vulnerable to Log4j issues that are trivial to exploit. TunnelVision initially targeted CVE-2018-13379 (Fortinet FortiOS), a series of Microsoft Exchange Proxy Shell vulnerabilities, and has recently shifted its focus to the Log4Shell attack. TunnelVision’s goal appears to be the distribution of ransomware, indicating that the gang is not just interested in cyber espionage but also in data destruction and operational disruption. Tunnelling is the process of obfuscating or even concealing data flow during its transmission. Cyber security experts who have been monitoring the activity picked the moniker due to the group’s significant use on tunnelling tools, which enable them to conceal their operations from detection. TunnelVision, an Iranian-affiliated hacker group, was detected attacking Log4j on VMware Horizon servers to compromise corporate networks in the Middle East and the United States. Vulnerability Management System (SRC- VMS TM). ![]() External Threat Intelligence (SRC- TI TM).Health Insurance Portability and Accountability Act (HIPAA).Singapore Personal Data Protection Act (PDPA).Personal Information Protection and Electronic Documents Act (PIPEDA, Canada).Brazilian General Data Protection Law (LGPD).General Data Protection Regulation (GDPR).Governance Framework Strategy and Implementation.Security Standards (ISO, NIST, CIS & Others). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |