External Remote Services, Technique T1133 - Enterprise (original) (raw)
2015 Ukraine Electric Power Attack
During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a modified Dropbear SSH client as the backdoor to target systems.[7]
During the 2025 Poland Wiper Attacks, threat actors leveraged the FortiGate VPN interface that was exposed to the internet to gain access to the victim environment.[8][9]
Akira uses compromised VPN accounts for initial access to victim networks.[10]
APT-C-36 has used VPNs in their operational infrastructure.[11]
APT18 actors leverage legitimate credentials to log into external remote services.[12]
APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts.[13]
APT29 has used compromised identities to access networks via VPNs and Citrix.[14][15]
APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[16]
ArcaneDoor used WebVPN sessions commonly associated with Clientless SSLVPN services to communicate to compromised devices.[17]
During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.[18]
During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment.[19]
Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.[20][21]
During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment.[22]
Doki was executed through an open Docker daemon API port.[23]
Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.[24][25]
Ember Bear have used VPNs both for initial access to victim environments and for persistence within them following compromise.[26]
FIN13 has gained access to compromised environments via remote access services such as the corporate virtual private network (VPN).[27]
FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.[28][29][30]
GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.[31][32]
GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.[33]
Hildegard was executed through an unsecure kubelet that allowed anonymous access to the victim environment.[4]
Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates.[34][35]
Kimsuky has used RDP to establish persistence.[36]
Kinsing was executed in an Ubuntu container deployed via an open Docker daemon API.[37]
LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. [38][39]
Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.[40]
Linux Rabbit attempts to gain access to the server via SSH.[41]
Mafalda can establish an SSH connection from a compromised host to a server.[42]
During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.[43]
OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.[44]
During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: cscript //nologo "C:\Windows\System32\winrm.vbs" set winrm/config/service@{EnableCompatibilityHttpsListener="true"}.[45]
During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN.[46]
Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.[47][48]
Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.[49][50][51][52]
Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.[53]
Sea Turtle has used external-facing SSH to achieve initial access to the IT environments of victim organizations.[54]
For the SolarWinds Compromise, APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools.[55][56]
TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.[57][58] TeamTNT has also targeted exposed kubelets for Kubernetes environments.[4]
Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.[59] Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.[60]
Velvet Ant has leveraged access to internet-facing remote services to compromise and retain access to victim environments.[61]
VOID MANTICORE has leveraged public facing VPN infrastructure to gain initial access to victim environments.[62]
Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions.[63]
Wizard Spider has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.[64]