MITRE ATT&CK: External remote service
If you would have told the average person fifty years ago that in the future people would be able to view what you are doing on a personal computer screen in your home or at your office, they would have thought that you were being silly at the least and crazy at the worst. But as most are aware, external remote services is the technology that we use to give us a “sci-fi movie” kind of view into the computers of others.
Attackers are well aware of this technology and regularly use it as one of their cyberattack techniques.
This article will detail the external remote services attack technique as enumerated in the MITRE ATT&CK matrix. We will explore what MITRE ATT&CK is, what external remote services are, how attackers use external remote services and real-world examples of this attack technique, as well as mitigation and detection.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use.
More information on the MITRE ATT&CK matrix can be found here.
What are external remote services?
External remote services are access mechanisms that allows users in external locations to connect to internal organization network resources. These services are not limited to one mechanism but rather are composed of a collection of different services including Virtual Private Networks (VPNs), Virtual Network Computing (VNC), Citrix, Windows Remote Management and other services.
How do attackers use external remote services?
While some attack techniques are limited to only one phase of an attack campaign, external remote services can be useful during different phases of a campaign. Attackers may use external remote services to help establish initial access into a system during or for persistence within a network that they already have an established foothold.
External remote services can also be useful as part of an attack campaign’s Redundant Access strategy — where if one tool or malicious program is brought down another tool will be used to maintain access to compromised systems.
Sometimes, credentials for valid accounts are required to allow external remote services to connect to internal network resources. To account for this, attackers can use credential pharming or simply stealing credentials from compromised users to obtain these credentials.
Any way you slice it, external remote services have been incorporated into many phases of an operation and need to be understood by the good guys to effectively stymie the adversaries.
As mentioned earlier, there are many faces of external remote services and they all have their different ways of getting the job done. The important thing is to have a big picture of how these services are used in attack operations and the real-world examples below will help shed some light on this.
Beginning as far back as 2012, Soft Cell is an attack campaign that has targeted telecommunication providers and is associated with the China-based APT10 attack group. Soft Cell has been observed to use VPN services to gain access to the victim’s environment.
Originating in China, Night Dragon is a type of cyberattack aimed at global gas, oil and petrochemical companies as well as important individuals and executives of companies in these industries. These attacks are known to gain access to compromised systems by using compromised VPN accounts of important individuals and executives of critical energy companies worldwide.
FIN5 is an attack group that has targeted the lodging industry throughout the United States. A notable thing about this group is that it has been observed to use legitimate VPN, VNC and Citrix credentials to gain entry to victim systems. These credentials were gained with a malware called RawPOS that scrapes targeted point-of-sale systems for legitimate remote services credentials.
MITRE offers several recommendations for mitigation of this attack technique, presented below.
- Disable or block unnecessary remote services
- Limit access to centrally managed concentrators of remote services, including VPNs, VPCs and all other managed remote access systems
- Use two-factor (or multi-factor) authentication
- Implementation of network segmentation to deny illegitimate remote access to internal remote systems with proxies, firewalls and gateways
Detection of this attack technique is centered around best practices of authenticating to remote services for valid accounts. This entails collection and analysis of authentication logs for unusual patterns of remote services access, accessing remote services outside of business hours and windows of activity.
External remote services is an attack technique that the MITRE ATT&CK Matrix lists as an initial access technique. While initial access may be the first appearance of using external remote services in an attack operation, it can be used in several other phases of an attack such as persistence.
Despite the usefulness of external remote services, authentication logs may include events that, if acted on appropriately, could also be the undoing of the attack.