NEW

2024 True Cost of a Security Breach

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Remote Services Exploitation - Definition, Examples, & Prevention - ExtraHop

Risk Factors

Likelihood

Complexity

Business Impact

What Is Remote Services Exploitation?

Remote services exploitation is a technique that allows an adversary to gain unauthorized access into a network's internal systems by taking advantage of a vulnerability (such as a programming error) or a valid account. Once a remote connection is made, an attacker might execute adversary-controlled code, most likely with a goal to move laterally to that system.

To identify vulnerable systems, attackers typically employ one or more discovery techniques such as network service scanning to seek out unpatched software.

Common ransomware and malware such as Ryuk, WannaCry and NotPeya, contain features that use known exploits to execute code onto a network, ultimately resulting in lateral movement and propagation.

Remote Desktop Protocol (RDP) is a common target for remote service, and it's easy to see why. It's prevalent in enterprise environments, it provides remote access to a Windows device, and it leaves credentials exposed in memory.

Examples of Remote Services Exploitation

WannaCry

WannaCry (a type of ransomware) used the SMBv1 exploit known as EternalBlue to spread itself across networks which can then allow it to execute other functions such as service stop and inhibit system recovery.

NotPetya

NotPetya is a form of wiper malware that uses two SMBv1 exploits, EternalBlue and EternalRomance, to spread itself onto remote systems.


Emotet

A modular malware variant, Emotet uses SMB vulnerabilities, including EternalBlue, to move laterally.


Protection Against Remote Service Exploitation

To avoid costly exploits, your first line of defense should be to reduce and secure vulnerable access points. Start by updating software to keep any newly released patches up to date, and disable and remove any unused programs. From there, application isolation, sandboxing, and network segmentation can prevent lateral movement and reduce access to certain systems and services.

Remote access protocols such as RDP should be disabled where possible. There are steps organizations can take to mitigate risk such as implementing and regularly reviewing authentication methods and enforcing policies for secure credential creation and multi-factor authentication.

Advanced security teams should also employ a proactive approach such as a threat intelligence program to identify external connections to suspicious domains or endpoints and mitigate any malicious remote connections to your organization. Detection tools can also be helpful in seeking out breaches that affect both endpoints and the network. A combination of network detection and response (NDR) and endpoint detection and response (EDR) can be used to detect breaches and lateral movement within a network.

Detection of remote service exploitation attacks can be enhanced using decryption. Remote service exploitation can occur across a wide variety of services both internal and public facing and over a variety of protocols such as HTTPs, MS-RPC, SMBv3 and more. For this reason, it's critical that security tools have decryption capabilities for all commonly encrypted industry protocols such as TLS and Microsoft protocols such as Kerberos, MS-RPC, SMBv3, and more.


Remote Services Exploitation History

In 2012, Kasperskly identified the malware program Flame which uses a print spooler vulnerability. The malware largely targeted Iran and neighboring countries and is estimated to have been in use since at least 2010.

More recently, the EternalBlue exploit which uses a vulnerability in Mircosoft's SMBv1 protocol, was developed by the NSA and used as a spy tool before it was leaked by a hacker group in April of 2017. After its leak, Microsoft quickly released a patch for the vulnerability but it has since been routinely exploited.

A wormable RDP exploit leveraging the BlueKeep vulnerability came to prominence in 2019, with Microsoft warning that attacks could be on par with those involving NotPetya and WannaCry. Despite the widely shared warning, in late 2020 it was reported that more than 245,000 Windows systems remained unpatched.