External Remote Services

External-facing remote services such as SSH, VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries may leverage such remote services to initially access and persist within a network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.[1]

Access to Valid Accounts or Private Keys, like SSH passwords and keys, can be obtained in a preparatory stages of the attack or after compromising the enterprise network and its users.

In cases that external SSH service implements password-based authentication, Bruteforce can also be used by adversaries in attempt to bypass the service login.

Procedure Examples

Name Description
APT41

APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[2]

Linux Rabbit

Linux Rabbit attempts to gain initial access to the server via SSH.

Sandworm Team

Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.[3][4]

UNC1945

The group compromised SSH External Services for Initial Access and enabled Port Forwarding to maintain Persistence

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.

References

Attachments

ID
VT0002
MITRE ID
Sub-techniques
No sub-techniques
Tactics
Persistence
Initial Access
Platforms
Linux
Windows
Permissions Required
User
Data Sources
Authentication logs
CAPEC ID
Version
2.1

Created: 30 November 2020

Last Modified: 10 May 2021