Remote Services Exploitation - Definition, Examples, & Prevention - ExtraHop
What Is Remote Services Exploitation?
Remote services exploitation is a technique that allows an adversary to gain unauthorized access into a network's internal systems by taking advantage of a vulnerability (such as a programming error) or a valid account. Once a remote connection is made, an attacker might execute adversary-controlled code, most likely with a goal to move laterally to that system.
To identify vulnerable systems, attackers typically employ one or more discovery techniques such as network service scanning to seek out unpatched software.
Common ransomware and malware such as Ryuk, WannaCry and NotPeya, contain features that use known exploits to execute code onto a network, ultimately resulting in lateral movement and propagation.
Remote Desktop Protocol (RDP) is a common target for remote service, and it's easy to see why. It's prevalent in enterprise environments, it provides remote access to a Windows device, and it leaves credentials exposed in memory.
Protection Against Remote Service Exploitation
To avoid costly exploits, your first line of defense should be to reduce and secure vulnerable access points. Start by updating software to keep any newly released patches up to date, and disable and remove any unused programs. From there, application isolation, sandboxing, and network segmentation can prevent lateral movement and reduce access to certain systems and services.
Remote access protocols such as RDP should be disabled where possible. There are steps organizations can take to mitigate risk such as implementing and regularly reviewing authentication methods and enforcing policies for secure credential creation and multi-factor authentication.
Advanced security teams should also employ a proactive approach such as a threat intelligence program to identify external connections to suspicious domains or endpoints and mitigate any malicious remote connections to your organization. Detection tools can also be helpful in seeking out breaches that affect both endpoints and the network. A combination of network detection and response (NDR) and endpoint detection and response (EDR) can be used to detect breaches and lateral movement within a network.
Detection of remote service exploitation attacks can be enhanced using decryption. Remote service exploitation can occur across a wide variety of services both internal and public facing and over a variety of protocols such as HTTPs, MS-RPC, SMBv3 and more. For this reason, it's critical that security tools have decryption capabilities for all commonly encrypted industry protocols such as TLS and Microsoft protocols such as Kerberos, MS-RPC, SMBv3, and more.
Remote Services Exploitation History
In 2012, Kasperskly identified the malware program Flame which uses a print spooler vulnerability. The malware largely targeted Iran and neighboring countries and is estimated to have been in use since at least 2010.
More recently, the EternalBlue exploit which uses a vulnerability in Mircosoft's SMBv1 protocol, was developed by the NSA and used as a spy tool before it was leaked by a hacker group in April of 2017. After its leak, Microsoft quickly released a patch for the vulnerability but it has since been routinely exploited.
A wormable RDP exploit leveraging the BlueKeep vulnerability came to prominence in 2019, with Microsoft warning that attacks could be on par with those involving NotPetya and WannaCry. Despite the widely shared warning, in late 2020 it was reported that more than 245,000 Windows systems remained unpatched.