tunnelvision

TunnelVision is a SentinelLabs-tracked Iranian-aligned threat actor cluster operating against organizations in the Middle East and the United States. SentinelLabs linked the actor’s activity to ransomware deployment, indicating potentially destructive intent. The cluster is characterized by broad exploitation of known and 1-day vulnerabilities at scale, including Fortinet FortiOS CVE-2018-13379, Microsoft Exchange ProxyShell, and Log4Shell in VMware Horizon environments. In observed VMware Horizon intrusions, TunnelVision exploited Log4j via the Tomcat service to execute PowerShell, deploy backdoors, create backdoor users, harvest credentials, and move laterally. Activity included PowerShell reverse shells, command output exfiltration through webhooks, use of the VMware Horizon NodeJS component for reverse shell execution, reconnaissance, creation of a backdoor user added to the local administrators group, credential harvesting with Procdump, SAM hive dumps, and comsvcs MiniDump, and internal subnet RDP scanning with a public port scanning script. A defining feature of the cluster is heavy use of tunneling tools, especially FRPC and Plink, including downloading and executing Plink and Ngrok to tunnel RDP traffic. SentinelLabs also observed use of legitimate public services including transfer.sh, pastebin.com, webhook.site, ufile.io, raw.githubusercontent.com, and a GitHub repository named VmWareHorizon from the account protections20 to host payloads. Reported infrastructure included command-and-control and payload hosting via domains such as microsoft-updateserver[.]cf and service-management[.]tk. SentinelLabs observed overlap with activity tracked by other vendors as Phosphorus, Charming Kitten, and Nemesis Kitten, but assessed that available attribution data was insufficient to conclude TunnelVision is identical to those clusters.