Threat Research

Exploitation of VMware Horizon Servers by TunnelVision Threat Actor

Securonix

eSentire documented a TunnelVision-linked intrusion into a VMware Horizon server, exploiting Log4Shell to harvest credentials and establish access. The operation included a backdoor DomainAdmin, PSExec/RDP lateral movement, C2 via activate-microsoft.cf, and Ngrok-based RDP tunneling with connections to GitHub for additional payloads. #TunnelVision #Log4Shell

Keypoints

  • February 2022: suspicious account creation and credential harvesting traced to a VMware Horizon server.
  • Horizon server used an out-of-date Log4Shell-vulnerable version (CVE-2021-44228) exposed to untrusted input routed from an Internet-facing system.
  • Threat intelligence links the activity to TunnelVision, an Iranian-aligned threat actor cluster.
  • Artifacts include tunnel server 142.44.135[.]86 and C2 domains activate-microsoft[.]cf and microsoft-updateserver[.]cf with similar registration characteristics.
  • Intrusion TTPs include NTLM-based pivot, backdoor DomainAdmin account, PSExec/RDP lateral movement, Procdump credential harvesting, and malware creating a Windows service (SessionManagerService).
  • Malware communicates with activate-microsoft[.]cf and GitHub, and downloads Sysinternals/SSH tools via browser; Ngrok is used for RDP tunneling to 142.44.135[.]86.
  • eSentire MDR and SOC actions focused on isolating the host and blocking credential harvesting; emphasis on monitoring Horizon servers.

MITRE Techniques

  • [T1078] Valid Accounts – The initial pivot from compromised Horizon server occurred using NTLM authentication for a generic administrator account. [‘The initial pivot from compromised Horizon server occurred using NTLM authentication for a generic administrator account.’]
  • [T1136] Create Account – A backdoor account “DomainAdmin” is created on secondary systems using net command and then added to local administrators’ group. [‘A backdoor account “DomainAdmin” is created on secondary systems using net command and then added to local administrators’ group.’]
  • [T1021] Remote Services – The adversary then performs lateral movement using PSexec and RDP. [‘The adversary then performs lateral movement using PSexec and RDP.’]
  • [T1003] Credential Dumping – Credentials are then harvested using Procdump. [‘Credentials are then harvested using Procdump.’]
  • [T1543.003] Windows Service – Malware is written to C:UsersDomainAdminDesktopDrokbk.exe which creates service name, “SessionManagerService”. [‘Malware is written to C:UsersDomainAdminDesktopDrokbk.exe which creates service name, “SessionManagerService”.’]
  • [T1071] Web Protocols – Malware written to c:programdataSoftwareDistributionSessionService.exe communicates with activate-microsoft[.]cf and GitHub. [‘…communicates with activate-microsoft[.]cf and GitHub.’]
  • [T1105] Ingress Tool Transfer – Sysinternals and SSH tools are downloaded by the backdoor account using a web browser on compromised systems. [‘Sysinternals and SSH tools are downloaded by the backdoor account using a web browser on compromised systems.’]
  • [T1572] Protocol Tunneling – RDP tunneling is done using Ngrok to IP 142.44.135[.]86. [‘RDP tunneling is done using Ngrok to IP 142.44.135[.]86.’]

Indicators of Compromise

  • [IP] Network connection – 142.44.135.86 (Ngrok tunnel server used for RDP)
  • [Domain] C2 domains – activate-microsoft.cf, microsoft-updateserver.cf, and GitHub (github.com)
  • [File] Drokbk.exe – C:UsersDomainAdminDesktopDrokbk.exe (malware binary that creates a service)
  • [File] SessionService.exe – c:programdataSoftwareDistributionSessionService.exe (malware component that communicates with C2)
  • [Account] DomainAdmin – backdoor account created and added to local administrators group

Read more: https://www.esentire.com/blog/exploitation-of-vmware-horizon-servers-by-tunnelvision-threat-actor