External Remote Services, Technique T1133 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v15/theme/favicon.ico" type='image/x-icon'> <title>External Remote Services, Technique T1133 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-select.min.css" />  <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v15/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v15/"><img src="/versions/v15/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v15/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v15/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/groups">Groups</a> <a class="dropdown-item" href="/versions/v15/software">Software</a> <a class="dropdown-item" href="/versions/v15/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v15/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v15/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v15/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v15/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v15/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v15/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v15/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v15/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v15/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1" target="_blank">ATT&CK v15.1</a> which was live between April 23, 2024 and October 30, 2024. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v15/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v15/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v15/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">External Remote Services</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> External Remote Services </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as <a href="/versions/v15/techniques/T1021/006">Windows Remote Management</a> and <a href="/versions/v15/techniques/T1021/005">VNC</a> can also be used externally.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021."data-reference="MacOS VNC software for Remote Desktop"><sup><a href="https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p><p>Access to <a href="/versions/v15/techniques/T1078">Valid Accounts</a> to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017."data-reference="Volexity Virtual Private Keylogging"><sup><a href="https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> Access to remote services may be used as a redundant or persistent access mechanism during an operation.</p><p>Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants Target Exposed Docker Servers. Retrieved April 5, 2021."data-reference="Trend Micro Exposed Docker Server"><sup><a href="https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware"><sup><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1133 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques: </span> No sub-techniques </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactics:</span> <a href="/versions/v15/tactics/TA0003">Persistence</a>, <a href="/versions/v15/tactics/TA0001">Initial Access</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>Containers, Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors: </span>Alfredo Oliveira, Trend Micro; Ariel Shuper, Cisco; Brad Geesaman, @bradgeesaman; Daniel Oakley; David Fiser, @anu4is, Trend Micro; David Tayouri; ExtraHop; Idan Frimark, Cisco; Jay Chen, Palo Alto Networks; Magno Logan, @magnologan, Trend Micro; Rory McCune, Aqua Security; Travis Smith, Tripwire; Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team; Yuval Avrahami, Palo Alto Networks </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>2.4 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>30 March 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1133" href="/versions/v15/techniques/T1133/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1133" href="/techniques/T1133/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/campaigns/C0028"> C0028 </a> </td> <td> <a href="/versions/v15/campaigns/C0028"> 2015 Ukraine Electric Power Attack </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v15/groups/G0034">Sandworm Team</a> installed a modified Dropbear SSH client as the backdoor to target systems. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton"><sup><a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1024"> G1024 </a> </td> <td> <a href="/versions/v15/groups/G1024"> Akira </a> </td> <td> <p><a href="/versions/v15/groups/G1024">Akira</a> uses compromised VPN accounts for initial access to victim networks.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024."data-reference="Secureworks GOLD SAHARA"><sup><a href="https://www.secureworks.com/research/threat-profiles/gold-sahara" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0026"> G0026 </a> </td> <td> <a href="/versions/v15/groups/G0026"> APT18 </a> </td> <td> <p><a href="/versions/v15/groups/G0026">APT18</a> actors leverage legitimate credentials to log into external remote services.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017."data-reference="RSA2017 Detect and Respond Adair"><sup><a href="https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/5009/HTA-F02-Detecting-and-Responding-to-Advanced-Threats-within-Exchange-Environments.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0007"> G0007 </a> </td> <td> <a href="/versions/v15/groups/G0007"> APT28 </a> </td> <td> <p><a href="/versions/v15/groups/G0007">APT28</a> has used <a href="/versions/v15/software/S0183">Tor</a> and a variety of commercial VPN services to route brute force authentication attempts.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021"><sup><a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v15/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v15/groups/G0016">APT29</a> has used compromised identities to access networks via VPNs and Citrix.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."data-reference="NCSC APT29 July 2020"><sup><a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022"><sup><a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v15/groups/G0096"> APT41 </a> </td> <td> <p><a href="/versions/v15/groups/G0096">APT41</a> compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019"><sup><a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0027"> C0027 </a> </td> <td> <a href="/versions/v15/campaigns/C0027"> C0027 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0027">C0027</a>, <a href="/versions/v15/groups/G1015">Scattered Spider</a> used Citrix and VPNs to persist in compromised environments.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023."data-reference="Crowdstrike TELCO BPO Campaign December 2022"><sup><a href="https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0032"> C0032 </a> </td> <td> <a href="/versions/v15/campaigns/C0032"> C0032 </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0032">C0032</a> campaign, <a href="/versions/v15/groups/G0088">TEMP.Veles</a> used VPN access to persist in the victim environment.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019."data-reference="FireEye TRITON 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v15/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v15/groups/G0114">Chimera</a> has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020."data-reference="Cycraft Chimera April 2020"><sup><a href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021."data-reference="NCC Group Chimera January 2021"><sup><a href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0004"> C0004 </a> </td> <td> <a href="/versions/v15/campaigns/C0004"> CostaRicto </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0004">CostaRicto</a>, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020"><sup><a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0600"> S0600 </a> </td> <td> <a href="/versions/v15/software/S0600"> Doki </a> </td> <td> <p><a href="/versions/v15/software/S0600">Doki</a> was executed through an open Docker daemon API port.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021."data-reference="Intezer Doki July 20"><sup><a href="https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0035"> G0035 </a> </td> <td> <a href="/versions/v15/groups/G0035"> Dragonfly </a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A"><sup><a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021."data-reference="CISA AA20-296A Berserk Bear December 2020"><sup><a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1016"> G1016 </a> </td> <td> <a href="/versions/v15/groups/G1016"> FIN13 </a> </td> <td> <p><a href="/versions/v15/groups/G1016">FIN13</a> has gained access to compromised environments via remote access services such as the corporate virtual private network (VPN).<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023."data-reference="Mandiant FIN13 Aug 2022"><sup><a href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0053"> G0053 </a> </td> <td> <a href="/versions/v15/groups/G0053"> FIN5 </a> </td> <td> <p><a href="/versions/v15/groups/G0053">FIN5</a> has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017."data-reference="FireEye Respond Webinar July 2017"><sup><a href="https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017."data-reference="DarkReading FireEye FIN5 Oct 2015"><sup><a href="https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017."data-reference="Mandiant FIN5 GrrCON Oct 2016"><sup><a href="https://www.youtube.com/watch?v=fevGZs0EQu8" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v15/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v15/groups/G0093">GALLIUM</a> has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019."data-reference="Cybereason Soft Cell June 2019"><sup><a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021."data-reference="Microsoft GALLIUM December 2019"><sup><a href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0115"> G0115 </a> </td> <td> <a href="/versions/v15/groups/G0115"> GOLD SOUTHFIELD </a> </td> <td> <p><a href="/versions/v15/groups/G0115">GOLD SOUTHFIELD</a> has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020."data-reference="Secureworks REvil September 2019"><sup><a href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0601"> S0601 </a> </td> <td> <a href="/versions/v15/software/S0601"> Hildegard </a> </td> <td> <p><a href="/versions/v15/software/S0601">Hildegard</a> was executed through an unsecure kubelet that allowed anonymous access to the victim environment.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware"><sup><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0004"> G0004 </a> </td> <td> <a href="/versions/v15/groups/G0004"> Ke3chang </a> </td> <td> <p><a href="/versions/v15/groups/G0004">Ke3chang</a> has gained access through VPNs including with compromised accounts and stolen VPN certificates.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018."data-reference="NCC Group APT15 Alive and Strong"><sup><a href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0094"> G0094 </a> </td> <td> <a href="/versions/v15/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/versions/v15/groups/G0094">Kimsuky</a> has used RDP to establish persistence.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020."data-reference="CISA AA20-301A Kimsuky"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0599"> S0599 </a> </td> <td> <a href="/versions/v15/software/S0599"> Kinsing </a> </td> <td> <p><a href="/versions/v15/software/S0599">Kinsing</a> was executed in an Ubuntu container deployed via an open Docker daemon API.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021."data-reference="Aqua Kinsing April 2020"><sup><a href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1004"> G1004 </a> </td> <td> <a href="/versions/v15/groups/G1004"> LAPSUS$ </a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. <span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a></sup></span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v15/groups/G0065"> Leviathan </a> </td> <td> <p><a href="/versions/v15/groups/G0065">Leviathan</a> has used external remote services such as virtual private networks (VPN) to gain initial access.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021."data-reference="CISA AA21-200A APT40 July 2021"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-200a" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0362"> S0362 </a> </td> <td> <a href="/versions/v15/software/S0362"> Linux Rabbit </a> </td> <td> <p><a href="/versions/v15/software/S0362">Linux Rabbit</a> attempts to gain access to the server via SSH.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019."data-reference="Anomali Linux Rabbit 2018"><sup><a href="https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1060"> S1060 </a> </td> <td> <a href="/versions/v15/software/S1060"> Mafalda </a> </td> <td> <p><a href="/versions/v15/software/S1060">Mafalda</a> can establish an SSH connection from a compromised host to a server.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023."data-reference="SentinelLabs Metador Technical Appendix Sept 2022"><sup><a href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0002"> C0002 </a> </td> <td> <a href="/versions/v15/campaigns/C0002"> Night Dragon </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0002">Night Dragon</a>, threat actors used compromised VPN accounts to gain access to victim systems.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: "Night Dragon". Retrieved February 19, 2018."data-reference="McAfee Night Dragon"><sup><a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v15/groups/G0049"> OilRig </a> </td> <td> <p><a href="/versions/v15/groups/G0049">OilRig</a> uses remote services such as VPN, Citrix, or OWA to persist in an environment.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017."data-reference="FireEye APT34 Webinar Dec 2017"><sup><a href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0012"> C0012 </a> </td> <td> <a href="/versions/v15/campaigns/C0012"> Operation CuckooBees </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a>, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: <code>cscript //nologo "C:\Windows\System32\winrm.vbs" set winrm/config/service@{EnableCompatibilityHttpsListener="true"}</code>.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022."data-reference="Cybereason OperationCuckooBees May 2022"><sup><a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0014"> C0014 </a> </td> <td> <a href="/versions/v15/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors used stolen credentials to connect to the victim's network via VPN.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019"><sup><a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0034"> G0034 </a> </td> <td> <a href="/versions/v15/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/versions/v15/groups/G0034">Sandworm Team</a> has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. <a href="/versions/v15/groups/G0034">Sandworm Team</a> has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020."data-reference="ESET BlackEnergy Jan 2016"><sup><a href="https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a></sup></span><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."data-reference="ESET Telebots June 2017"><sup><a href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a></sup></span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021."data-reference="ANSSI Sandworm January 2021"><sup><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1015"> G1015 </a> </td> <td> <a href="/versions/v15/groups/G1015"> Scattered Spider </a> </td> <td> <p><a href="/versions/v15/groups/G1015">Scattered Spider</a> has leveraged legitimate remote management tools to maintain persistent access.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023."data-reference="CrowdStrike Scattered Spider BYOVD January 2023"><sup><a href="https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0024"> C0024 </a> </td> <td> <a href="/versions/v15/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> <p>For the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/versions/v15/groups/G0016">APT29</a> used compromised identities to access networks via SSH, VPNs, and other remote access tools.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a></sup></span><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022"><sup><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0139"> G0139 </a> </td> <td> <a href="/versions/v15/groups/G0139"> TeamTNT </a> </td> <td> <p><a href="/versions/v15/groups/G0139">TeamTNT</a> has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020"><sup><a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span><span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group"><sup><a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a></sup></span> <a href="/versions/v15/groups/G0139">TeamTNT</a> has also targeted exposed kubelets for Kubernetes environments.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware"><sup><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0027"> G0027 </a> </td> <td> <a href="/versions/v15/groups/G0027"> Threat Group-3390 </a> </td> <td> <p><a href="/versions/v15/groups/G0027">Threat Group-3390</a> actors look for and use VPN profiles during an operation to access the network using external VPN services.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018."data-reference="Dell TG-3390"><sup><a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a></sup></span> <a href="/versions/v15/groups/G0027">Threat Group-3390</a> has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017."data-reference="SecureWorks BRONZE UNION June 2017"><sup><a href="https://www.secureworks.com/research/bronze-union" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v15/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v15/groups/G0102">Wizard Spider</a> has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020."data-reference="FireEye KEGTAP SINGLEMALT October 2020"><sup><a href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/mitigations/M1042"> M1042 </a> </td> <td> <a href="/versions/v15/mitigations/M1042"> Disable or Remove Feature or Program </a> </td> <td> <p>Disable or block remotely available services that may be unnecessary.</p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1035"> M1035 </a> </td> <td> <a href="/versions/v15/mitigations/M1035"> Limit Access to Resource Over Network </a> </td> <td> <p>Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.</p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1032"> M1032 </a> </td> <td> <a href="/versions/v15/mitigations/M1032"> Multi-factor Authentication </a> </td> <td> <p>Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of <a href="/versions/v15/techniques/T1111">Multi-Factor Authentication Interception</a> techniques for some two-factor authentication implementations.</p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1030"> M1030 </a> </td> <td> <a href="/versions/v15/mitigations/M1030"> Network Segmentation </a> </td> <td> <p>Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0015"> <td> <a href="/versions/v15/datasources/DS0015">DS0015</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0015">Application Log</a> </td>  <td> <a href="/datasources/DS0015/#Application%20Log%20Content">Application Log Content</a> </td> <td> <p>When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.</p> </td> </tr> <tr class="datasource" id="uses-DS0028"> <td> <a href="/versions/v15/datasources/DS0028">DS0028</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0028">Logon Session</a> </td>  <td> <a href="/datasources/DS0028/#Logon%20Session%20Metadata">Logon Session Metadata</a> </td> <td> <p>Follow best practices for detecting adversary use of <a href="/versions/v15/techniques/T1078">Valid Accounts</a> for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.</p> </td> </tr> <tr class="datasource" id="uses-DS0029"> <td> <a href="/versions/v15/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0029">Network Traffic</a> </td>  <td> <a href="/datasources/DS0029/#Network%20Connection%20Creation">Network Connection Creation</a> </td> <td> <p>Monitor for newly constructed network connections that may use Valid Accounts to access and/or persist within a network using External Remote Services. Use of External Remote Services may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using External Remote Services.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Content"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Content">Network Traffic Content</a> </td> <td> <p>Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Flow"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Flow">Network Traffic Flow</a> </td> <td> <p>Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac" target="_blank"> Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/" target="_blank"> Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html" target="_blank"> Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants Target Exposed Docker Servers. Retrieved April 5, 2021. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank"> Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank"> Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.secureworks.com/research/threat-profiles/gold-sahara" target="_blank"> Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/5009/HTA-F02-Detecting-and-Responding-to-Advanced-Threats-within-Exchange-Environments.pdf" target="_blank"> Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank"> NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank"> National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank"> Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" target="_blank"> Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank"> Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank"> The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" target="_blank"> Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" target="_blank"> CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank"> Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html" target="_blank"> Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?" target="_blank"> Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.youtube.com/watch?v=fevGZs0EQu8" target="_blank"> Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank"> MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="26.0"> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank"> Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank"> Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank"> MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank"> CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" target="_blank"> Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank"> MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank"> Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://us-cert.cisa.gov/ncas/alerts/aa21-200a" target="_blank"> CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" target="_blank"> Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank"> SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank"> Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank"> Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" target="_blank"> Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank"> Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank"> ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/" target="_blank"> CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank"> CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank"> Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank"> Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.secureworks.com/research/bronze-union" target="_blank"> Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank"> Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v15/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v15/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v15.1Website v4.1.6">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/versions/v15/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v15/theme/scripts/popper.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v15/theme/scripts/site.js?7332"></script> <script src="/versions/v15/theme/scripts/settings.js?6852"></script> <script src="/versions/v15/theme/scripts/search_bundle.js"></script>  <script src="/versions/v15/theme/scripts/resizer.js"></script>  <script src="/versions/v15/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v15/theme/scripts/settings.js"></script> <script src="/versions/v15/theme/scripts/tour/tour-techniques.js"></script> <script src="/versions/v15/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

External Remote Services, Technique T1133 - Enterprise | MITRE ATT&CK®