ThreatCluster

Exploitation of Remote Services in Cyber Attacks

First seen 3 Jun 2026, 14:40 UTC attack.mitre.org 71% similarity 75

Article Content

Browse articles
ThreatCluster

Adversaries are increasingly leveraging external remote services like VPNs and Citrix to gain unauthorized access to networks. These attacks often involve using valid accounts obtained through credential harvesting or phishing. Notable incidents include the 2025 Poland Wiper Attacks, where threat actors exploited an exposed FortiGate VPN interface. Additionally, various APT groups, such as APT28 and APT29, have utilized remote services for persistence and lateral movement within compromised environments. The use of tools like ShadowLink to establish Tor hidden services for remote access has also been reported. Organizations are urged to implement multi-factor authentication and restrict unnecessary remote access to mitigate these threats. The ongoing nature of these attacks indicates a significant risk to enterprise networks.

Key Points: • Adversaries exploit remote services like VPNs and Citrix for unauthorized access. • Credential harvesting is a common method for obtaining valid accounts. • Implementing multi-factor authentication can help mitigate these threats.

ThreatCluster AI

Timeline

2025-01-01
2025 Poland Wiper Attacks
Threat actors exploited an exposed FortiGate VPN interface to gain access to the victim's environment.
attack.mitre.org
2025-01-15
ShadowLink tool usage reported
Adversaries utilized ShadowLink to configure Tor hidden services for persistent remote access.
attack.mitre.org
Recent
Increased exploitation of remote services
Various APT groups have been reported using remote services for lateral movement and persistence in networks.
attack.mitre.org

Community

Browse all →