MITRE ATT&CK: External remote services

Lester Obbayi
December 12, 2019 by
Lester Obbayi


In this article, we will discuss the various ways that attackers are able to abuse external remote services to gain unauthorized access into internal networks. We will also discuss some known technologies that are commonly targeted by malicious actors, how to detect these attacks and finally, how to mitigate against them. 

This article does not by any means exhaust the targeted technologies nor the complete threat groups out there. It merely lays a foundation in order to understand what happens and how it happens.

Overview of the MITRE ATT&CK

The MITRE ATT&CK is a publicly-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, government and the cybersecurity product and service community.

The aim of the MITRE ATT&CK is to solve problems for a safer world by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

What are external remote services?

External remote services involve the various mechanisms that allow users to connect to internal enterprise network resources from external locations. Remote service gateways allow for the authentication of users connecting into the internal network. These gateways also manage connections for these services. The following are some of the most common external remote services:

  1. Virtual Private Networks (VPNs): A VPN extends a private network across a public network. This means that a tunnel is created within the public network within which users can send and receive data as if their devices were directly connected within the private network.
  2. Remote Desktop Connection (RDP): RDP is a Microsoft-designed protocol that provides remote display and input capabilities over network connections for Windows applications running on a server. RDP is capable of remote control, encryption, clipboard mapping and more.
  3. Virtual Network Computing (VNC): VNC allows for a remote graphical user interface to a system. This works by having a server update the framebuffer displayed on a viewer, allowing you to connect to a system remotely.
  4. RADIUS: RADIUS is a client/server protocol that enables remote access that authenticates users and authorizes their access to a service or system. RADIUS allows for the storage of user profiles within a central database that can be connected to remotely.
  5. Active Directory (AD): In many organization network setups, clients connect to the network and join the AD wirelessly. In order to achieve this, RADIUS and AD combinations might be necessary in order to authenticate the remote clients.

When malicious actors acquire valid accounts to these services through various means, they can gain unauthorized access into the internal network, enabling them to achieve persistence. During persistence, attackers can be able to gain access into the internal network at will in what is referred to as redundant access. This can be very useful for malicious intent during operations.

How do attackers use external remote services to compromise a network?

In order for us to discuss how attackers could use external remote services to compromise a network, we considered a couple of previously identified and published attacks. The following threat actors have been discovered as mainly using remote services to aid their attacks.

  1. APT18: These malicious actors have been discovered to previously implement legitimate credentials to gain unauthorized access into organization networks. This group has targeted the technology, manufacturing, human rights, government and medical industries.
  2. Dragonfly 2.0: This hacker group is Russian-based. They have in the past targeted government entities, multiple U.S. critical infrastructure sectors and critical manufacturing sectors. This group has frequently used VPNs and Outlook Web Access (OWA) to maintain access within victim networks.
  3. Fin5: This is a financially-motivated threat group with likely Russian members. The attacks executed by this group have targeted payment card information and personally-identifiable information. This group has targeted the restaurant, gaming and hotel industries using VPN, Citrix and VNC attacks.
  4. Ke3chang: This is a Chinese-based threat group that has targeted various industries including the oil, government and military industries. This group managed to execute attacks through a stolen VPN certificate.

These threat actors seem to really rely on external remote services to complete their attacks. It is almost impossible for their attacks to be effective without a remote service compromise. The threat actors mentioned are only a few of those documented that employ similar attacks.

How are attacks from external remote services detected?

Attacks from external remote services can be quite difficult to detect since authentication to the services almost always seems legitimate. There are, however, a couple of things to keep in mind when looking out for such attacks. They include the following:

  1. Collect authentication logs: Authentication logs might be able to indicate suspicious account activity. For instance, accounts might be detected logging in at odd hours or outside business hours. Multiple accounts that are logged into a system simultaneously can also indicate a red flag. Shared accounts (user, admin or service accounts) should also be monitored for suspicious activities.
  2. Conduct regular security tests: Conducting pentests regularly might be able to identify malicious activity in progress. Pentests are able to uncover user accounts that may have been created by an adversary for persistence. Default accounts (such as Guest), credentials and SSH keys should be monitored and taken into account.
  3. Correlate security information: It is important to correlate login information with other security information. For instance, a scenario where a user account session is observed to be active while the user has never had VPN access granted nor even entered the premises might indicate a red flag.

As we can see, these attacks are quite difficult to detect, so vigilance is required to ensure that any form of attack is detected as soon as possible in order to prevent further compromise. How can these attacks be mitigated against? We’ll discuss that next.

How can attacks from external remote services be mitigated?

Protecting against external remote service attacks is not as difficult as it may initially seem. There actually are a couple of measures that can be put in place to help secure the network. Some of the available methods are widely known; however, due to negligence, organizations continue to fall victim to more of these types of attacks.

  1. Follow industry best practice: Industry best practice dictates certain truths. For instance, the acceptable password minimum length is widely held to be eight characters, including upper- and lower-case characters, special characters and at least a digit or two. Account lockout thresholds need to be observed as well. Default credentials need to be updated and default installations discovered and hardened.
  2. Multi-factor authentication: Enabling multi-factor authentication mechanisms ensures that users are able to authenticate into the network using legitimate authentication mechanisms. Examples of multi-factor mechanisms include password generators, one-time passwords, confirmation codes and confirmation emails.
  3. Privileged account management: It is important to limit privileged user accounts across the network. Password reuse is a common problem, where administrator accounts across multiple systems allow adversaries to obtain a single privileged password and use it to gain unauthorized access on multiple systems. Domain or enterprise admin accounts need to be properly secured.
  4. Intrusion detection solutions: Some intrusion detection systems employ intelligent technology that can monitor the network for suspicious activities that may suggest the presence of a malicious actor. These solutions monitor the flow of traffic, analyze activities performed within the network and normal hours of execution of such activities.

The few considerations above are bound to hold if followed religiously. It is also important to think creatively and as an attacker would. For instance, not many would consider default credentials on equipment such as network devices. Some network devices come with default credentials printed inside or on them, and this alone could pose a significant threat to the organization.

Regular security training should also be conducted to prevent employees from poor password and cyber hygiene. Many organizations have been compromised through passwords collected from sticky notes found on desks.


External remote services play a crucial part in compromising enterprise security. Most of this is due to the failure of organizations to adhere to industry best practice for security. Most organizations do not even invest in security training for their staff, which often ends up in a compromise that could have been avoided. 



  1. Alert (TA18-074A), CISA
  2. OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs, FireEye
  3. APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS, NCC Group
Lester Obbayi
Lester Obbayi

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.