Back

Exploitation of Remote Services in Cyber Attacks

Severity: High (Score: 75.0)

Sources: attack.mitre.org

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: remote, services, adversaries, access, external, valid, accounts

Severity indicators: ot

Summary

Adversaries are increasingly leveraging external remote services like VPNs and Citrix to gain unauthorized access to networks. These attacks often involve using valid accounts obtained through credential harvesting or phishing. Notable incidents include the 2025 Poland Wiper Attacks, where threat actors exploited an exposed FortiGate VPN interface. Additionally, various APT groups, such as APT28 and APT29, have utilized remote services for persistence and lateral movement within compromised environments. The use of tools like ShadowLink to establish Tor hidden services for remote access has also been reported. Organizations are urged to implement multi-factor authentication and restrict unnecessary remote access to mitigate these threats. The ongoing nature of these attacks indicates a significant risk to enterprise networks. Key Points: • Adversaries exploit remote services like VPNs and Citrix for unauthorized access. • Credential harvesting is a common method for obtaining valid accounts. • Implementing multi-factor authentication can help mitigate these threats.

Detailed Analysis

**Impact** Organizations across multiple sectors, including energy (Ukraine Electric Power), government (Poland Wiper Attacks), finance (online billing/payment services), and critical infrastructure have been targeted. Threat actors have leveraged remote services to gain initial access and maintain persistence, risking operational disruption and data compromise. The geographic scope includes Eastern Europe and North America, with potential global impact due to the widespread use of VPNs, Citrix, and remote desktop technologies. Sensitive data and network control are at risk from unauthorized access and lateral movement. **Technical Details** Adversaries exploit external-facing remote services such as VPNs, Citrix, RDP, SSH, VNC, and exposed APIs (Docker, Kubernetes) for initial access and persistence. Valid credentials are commonly used, obtained via credential harvesting or phishing. Tools like ShadowLink establish Tor hidden services for covert access, while malware such as modified Dropbear SSH backdoors and lateral movement frameworks like Impacket are employed. Notable threat groups include APT28, APT29, APT41, and FIN13. Techniques include brute force, credential reuse, and exploitation of unsecure kubelets or exposed management interfaces. No specific CVEs are detailed in the sources. **Recommended Response** Enforce multi-factor authentication on all remote service logins and restrict remote access to essential accounts only. Disable unnecessary remote services and exposed APIs, especially in containerized environments, and enable lockdown modes on virtualization hosts like ESXi. Monitor for unusual remote login patterns, including new source IPs and uncommon command executions post-login. Deploy detections for use of tools like ShadowLink and monitor for Tor network connections originating internally. Regularly audit permissions and credential use to prevent lateral movement.

Source articles (2)

  • External Remote Services — attack.mitre.org · 2026-06-03
    Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect t…
  • Remote Services — attack.mitre.org · 2026-06-03
    Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. In an enterprise e…

Timeline

  • 2025-01-01 — 2025 Poland Wiper Attacks: Threat actors exploited an exposed FortiGate VPN interface to gain access to the victim's environment.
  • 2025-01-15 — ShadowLink tool usage reported: Adversaries utilized ShadowLink to configure Tor hidden services for persistent remote access.
  • Recent — Increased exploitation of remote services: Various APT groups have been reported using remote services for lateral movement and persistence in networks.

Related entities

  • Akira (Ransomware Group)
  • Play (Ransomware Group)
  • Ryuk (Ransomware Group)
  • Apt18 (Apt Group)
  • Apt28 (Apt Group)
  • Apt29 (Apt Group)
  • APT41 (Apt Group)
  • Apt-c-36 (Apt Group)
  • Aquatic Panda (Apt Group)
  • ArcaneDoor (Apt Group)
  • CostaRicto (Apt Group)
  • Dragonfly (Apt Group)
  • Ember Bear (Apt Group)
  • FIN5 (Apt Group)
  • Gallium (Apt Group)
  • GOLD Southfield (Apt Group)
  • Ke3chang (Apt Group)
  • Kimsuky (Apt Group)
  • Kivars (Apt Group)
  • Leviathan (Apt Group)
  • Linux Rabbit (Apt Group)
  • Mafalda (Apt Group)
  • Night Dragon (Apt Group)
  • OilRig (Apt Group)
  • Operation CuckooBees (Apt Group)
  • Sandworm Team (Apt Group)
  • Scattered Spider (Apt Group)
  • Sea Turtle (Apt Group)
  • TeamTNT (Apt Group)
  • TEMP.Veles (Apt Group)
  • Threat Group-3390 (Apt Group)
  • Velvet Ant (Apt Group)
  • Void Manticore (Apt Group)
  • Volt Typhoon (Apt Group)
  • Wizard Spider (Apt Group)
  • Wocao (Apt Group)
  • Chimera (Malware)
  • Doki (Malware)
  • Fin13 (Malware)
  • Hildegard (Malware)
  • Kinsing (Malware)
  • Macma (Malware)
  • Stuxnet (Malware)
  • Brute Ratel C4 (Malware)
  • Brute Force (Attack Type)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Operation Wocao (Campaign)
  • Poland Wiper Attacks (Campaign)
  • SolarWinds Compromise (Campaign)
  • Ukraine Electric Power Attack (Campaign)
  • Poland (Country)
  • Ukraine (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • T1021.001 - Remote Desktop Protocol (Mitre Attack)
  • T1021.003 - Distributed Component Object Model (Mitre Attack)
  • T1021.006 - Windows Remote Management (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1047 - Windows Management Instrumentation (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1056 - Input Capture (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • Citrix (Company)
  • Docker (Tool)
  • Impacket (Tool)
  • ShadowLink (Tool)
  • Weave Scope (Tool)
  • WinRM (Tool)
  • Kubernetes (Platform)
  • MacOS (Platform)
  • Outlook Web Access (Platform)
  • VMware ESXi (Platform)
  • Windows (Platform)
  • Dropbear (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed