Compromised credentials for VPNs and remote desktop services accounted for 48% of ransomware attacks in Q3 2025 — nearly double the next leading attack vector. Internet-facing VPN appliances from Ivanti, Palo Alto Networks, Cisco, Fortinet, and SonicWall absorbed sustained exploitation throughout 2025, with GreyNoise recording nearly 3 billion malicious sessions targeting edge infrastructure over 162 days. Zscaler's 2025 VPN Risk Report found that 56% of organizations experienced VPN-related breaches, while 92% expressed concern that VPNs expose them to ransomware. The attack surface is massive, the credentials are cheap, and the payoff is full network access.
T1133 falls under two tactics: Initial Access (TA0001) and Persistence (TA0003). The technique covers any abuse of external-facing remote services to enter a network or maintain an ongoing foothold. This includes VPN gateways (Cisco AnyConnect, Ivanti Connect Secure, Fortinet FortiGate, Palo Alto GlobalProtect, SonicWall), remote desktop services (RDP, VNC, Citrix VDI), SSH servers, Outlook Web Access (OWA), Windows Remote Management (WinRM), and exposed container management interfaces (Docker API, Kubernetes API server, kubelets). The technique spans Windows, Linux, macOS, and container platforms.
T1133 has no sub-techniques. Unlike many ATT&CK techniques that branch into specialized variants, External Remote Services encompasses the full spectrum of remote access abuse under a single technique ID. This reflects the common operational pattern: regardless of whether the adversary targets a VPN, RDP, or SSH, the fundamental approach is the same — authenticate to (or exploit) an internet-facing service to gain a network foothold.
How External Remote Services Are Exploited
Credential-Based Access
The most common path to exploiting external remote services requires no exploit at all — just valid credentials. Adversaries obtain credentials through infostealer malware (Lumma, Redline, Raccoon), credential stuffing from breached databases, password spraying against VPN portals, phishing campaigns that harvest VPN passwords, or outright purchase from initial access brokers on dark web marketplaces. Once they have working credentials, attackers simply log into VPNs, RDP, Citrix, and SSH like any legitimate employee. The Akira ransomware group used credential stuffing and brute force against VPN endpoints as their primary initial access method throughout 2025, targeting organizations with weak password policies and missing MFA. Qilin similarly favored brute-forcing weak VPN passwords. INC Ransom relied on compromised credentials purchased from access brokers to enter victim environments via VPN and RDP.
Zero-Day and Vulnerability Exploitation
When credentials aren't available, adversaries exploit vulnerabilities in remote access appliances themselves. The VPN vulnerability landscape escalated dramatically in 2024–2025. Zscaler analyzed 411 VPN CVEs disclosed between 2020 and 2025, with 60% of the 83 vulnerabilities reported in 2024 rated high or critical severity. In January 2025, attackers exploited CVE-2025-0282, a critical stack-based buffer overflow in Ivanti Connect Secure, as a zero-day to breach Nominet (the UK's .uk domain registry) and target government agencies. SonicWall disclosed CVE-2024-53704, a critical authentication bypass in its SSL VPN that allowed attackers to hijack active sessions by sending crafted Base64-encoded cookies, effectively bypassing MFA. Cisco disclosed CVE-2025-20212, a denial-of-service vulnerability in AnyConnect VPN servers on Meraki devices. Fortinet warned of active exploitation of a five-year-old FortiOS SSL VPN flaw (CVE-2020-12812) that allowed MFA bypass through case manipulation of usernames.
Exposed Container APIs
In containerized environments, adversaries target exposed Docker APIs, Kubernetes API servers, and unsecured kubelets. TeamTNT used open-source tools like Weave Scope to target exposed Docker API ports, deploying cryptominers and lateral movement tools. The Hildegard malware exploited unsecured kubelets that allowed anonymous access, bypassing authentication entirely. The Kinsing malware targeted containers deployed via open Docker daemon APIs. These attacks require no credentials at all — they exploit services that were deployed without authentication, often in cloud environments where default configurations leave management interfaces publicly accessible.
Tor Hidden Services for Persistence
A newer persistence technique involves adversaries configuring Tor hidden services on compromised systems. Microsoft documented the BadPilot campaign (attributed to Seashell Blizzard, a Sandworm subgroup) using a tool called ShadowLink to install Tor hidden services on compromised systems. ShadowLink creates a .onion address that forwards inbound connections to RDP, giving adversaries persistent remote access through the Tor network. The tool persists by masquerading as a Microsoft Defender application, making it harder to identify during routine security reviews.
Why External Remote Services Matter
When adversaries use valid credentials to log into a corporate VPN, the resulting session is indistinguishable from legitimate employee access at the network level. There is no malware to detect, no exploit signature to match, no anomalous protocol behavior to flag. The attacker appears as an authorized user accessing authorized resources. Detection must shift entirely to behavioral analysis: unusual login times, atypical geolocations, abnormal data access patterns, and impossible travel scenarios become the only reliable indicators.
VPNs grant broad network access. Unlike application-specific access controls, traditional VPNs place authenticated users directly on the internal network. A compromised VPN credential doesn't just grant access to one application — it provides a network-level foothold from which the attacker can scan internal systems, move laterally, escalate privileges, and access any resource reachable from the VPN subnet. Zscaler's research found that 89% of security professionals expressed concern about lateral movement enabled by VPN access, and 71% ranked it as a top security risk.
Remote services provide redundant persistence. Adversaries use external remote services not just for initial entry but as fallback access mechanisms. If a primary backdoor is discovered and removed, the attacker can re-enter through VPN credentials, RDP access, or SSH keys that remain valid. APT29 (Cozy Bear) used compromised VPN and Citrix identities as persistent access paths during the SolarWinds campaign. Sandworm installed modified Dropbear SSH clients with hardcoded backdoor passwords to maintain persistent access to Ukrainian infrastructure. Ember Bear used VPNs for both initial access and ongoing persistence.
Edge infrastructure is under constant siege. GreyNoise recorded nearly 3 billion malicious sessions targeting internet-facing VPNs, routers, and remote access services between July and December 2025, averaging roughly 212 malicious sessions per second. Enterprise VPN platforms from Palo Alto Networks, Cisco, and Fortinet generated millions of individual exploitation sessions. This volume of probing means that any vulnerability or weak credential is discovered and exploited rapidly — often within hours of a CVE disclosure or proof-of-concept release.
The credential supply chain is thriving. The demand for stolen VPN and RDP credentials has created a robust underground economy. Infostealer malware harvests credentials at scale. Even after major law enforcement operations like Operation ENDGAME against Lumma Stealer infrastructure in 2025, competing infostealers like Rhadamanthys immediately filled the gap. Initial access brokers sell verified VPN credentials on dark web forums, often including details about the target organization's size, industry, and revenue — allowing ransomware operators to select victims based on ability to pay.
Real-World Case Studies
Case 1: Ivanti Connect Secure Zero-Day — Nominet Breach (January 2025)
In January 2025, attackers exploited CVE-2025-0282, a critical stack-based buffer overflow in Ivanti Connect Secure VPN, as a zero-day before Ivanti released a patch on January 8. The breach was detected at Nominet, the organization that manages the UK's .uk domain registry, during the week of December 30, 2024. While no data exfiltration was confirmed, the intrusion demonstrated how quickly flaws in remote access infrastructure can expose even high-value targets. A public proof-of-concept appeared on January 17, lowering the barrier for broader exploitation. Financial institutions and government agencies were also affected, with attackers using the flaw to establish persistent footholds. CISA issued an advisory and conducted research showing that exploitation of Ivanti VPN vulnerabilities could yield domain administrator credentials, root-level persistence, and bypass of integrity checking tools.
Case 2: Akira Ransomware — VPN Credential Attacks at Scale (2025)
Akira emerged as the dominant ransomware operator in Q3 2025, conducting 39% of all ransomware attacks in the quarter. The group's preferred initial access method was attacking VPN infrastructure through credential stuffing and brute force. Akira targeted organizations with weak password policies and missing multi-factor authentication, often gaining access within hours of beginning their attacks. Once inside via VPN, the group moved rapidly to deploy ransomware across victim environments. CISA issued advisory AA23-352A documenting Akira's tactics, and the Play ransomware group adopted similar VPN and RDP access strategies. The Q3 2025 data showed that compromised VPN credentials accounted for nearly half of all ransomware initial access vectors, with Akira, Qilin, and INC Ransom collectively responsible for 65% of attacks.
Case 3: Volt Typhoon — Critical Infrastructure Persistence (2023–2025)
Volt Typhoon, a Chinese state-sponsored group, used compromised VPN credentials to access U.S. critical infrastructure including water utilities, power grids, communications systems, and transportation networks. CISA's joint advisory (AA24-038A) detailed how the group used VPNs to connect to victim environments and enable post-exploitation actions, maintaining access for months without detection. The group's hallmark was living off the land — using legitimate tools and valid credentials to avoid triggering security alerts. Volt Typhoon's campaign demonstrated that external remote services are not just an initial access vector but a sustained operational platform for long-term espionage.
Case 4: Scattered Spider — Telecom and BPO Intrusions (2022–2025)
Scattered Spider used Citrix and VPN access to persist in compromised telecom and business process outsourcing (BPO) environments. The group combined social engineering (SIM swapping, helpdesk manipulation) with legitimate remote management tools to maintain persistent access. CrowdStrike documented Scattered Spider's use of bring-your-own-vulnerable-driver tactics to disable endpoint security after gaining VPN access, and the group's intrusion into Aflac resulted in the theft of insurance claims data, health records, and Social Security numbers. Scattered Spider's approach highlighted a key T1133 pattern: VPN access as the gateway to full domain compromise.
Case 5: Sandworm / Seashell Blizzard — BadPilot Campaign (2025)
Microsoft documented the BadPilot campaign, attributed to a Seashell Blizzard subgroup (part of Sandworm / APT44), which used the ShadowLink tool to configure Tor hidden services on compromised systems. ShadowLink created .onion addresses that forwarded connections to RDP, providing persistent remote access through the Tor network that was invisible to traditional network monitoring. The tool masqueraded as a Microsoft Defender application for persistence. This campaign represented an evolution of T1133 — rather than relying on existing VPN infrastructure, the adversary built their own hidden remote access service on compromised systems.
Detection Strategies
A VPN login from an unusual location is weak evidence on its own. The high-confidence detection pattern chains multiple events: failed authentication attempts from external IPs, followed by a successful login, followed by internal reconnaissance or lateral movement. MITRE's detection strategy DET0354 defines four analytics covering VPN/RDP/SSH brute force chains, container API exploitation, and VNC abuse — each requiring multiple behavioral indicators before triggering an alert.
| Data Source | Component | Detection Focus |
|---|---|---|
| Application Log | Authentication Log | Failed VPN/RDP/SSH logins from external IPs followed by successful authentication; impossible travel (logins from geographically distant locations within short timeframes) |
| Logon Session | Logon Session Creation | VPN sessions from unusual geolocations, outside business hours, or from IP ranges associated with VPN providers, Tor exit nodes, or hosting services |
| Logon Session | Logon Session Metadata | Concurrent VPN sessions for the same user from different IPs; session duration anomalies; duplicate sessions indicating credential sharing |
| Network Traffic | Network Traffic Flow | Unusual inbound connections to RDP (3389), SSH (22), VNC (5900), Docker API (2375/2376), Kubernetes API (6443/10250); connections from Tor exit nodes |
| Network Traffic | Network Traffic Content | Unexpected container creation commands via exposed APIs; unauthorized kubectl or docker exec commands from external sources |
Splunk / SIEM Detection Queries
VPN Brute Force Followed by Successful Login — Detect credential-based attacks against VPN infrastructure:
index=vpn_logs action=failed src_ip!=10.0.0.0/8 src_ip!=172.16.0.0/12
| stats count as fail_count dc(user) as targeted_users
values(user) as users by src_ip
| where fail_count > 15
| join src_ip [search index=vpn_logs action=success
| stats earliest(_time) as first_success values(user) as success_users
by src_ip]
| sort - fail_countImpossible Travel Detection for VPN Logins — Identify logins from geographically impossible locations:
index=vpn_logs action=success
| iplocation src_ip
| sort user _time
| streamstats current=f last(lat) as prev_lat last(lon) as prev_lon
last(_time) as prev_time last(City) as prev_city by user
| eval time_diff_hrs=((_time-prev_time)/3600)
| eval distance_km=round(3959*acos(sin(prev_lat*pi()/180)*sin(lat*pi()/180)
+cos(prev_lat*pi()/180)*cos(lat*pi()/180)*cos((lon-prev_lon)*pi()/180))*1.609,0)
| where time_diff_hrs>0 AND time_diff_hrs<8 AND distance_km>800
| table user _time prev_time prev_city City distance_km time_diff_hrsExposed Container API Access from External Sources — Detect unauthorized access to Docker and Kubernetes management interfaces:
index=firewall_logs dest_port IN (2375, 2376, 6443, 10250, 10255)
src_ip!=10.0.0.0/8 src_ip!=172.16.0.0/12 src_ip!=192.168.0.0/16
action=allowed
| stats count dc(dest_ip) as target_count values(dest_port) as ports
by src_ip
| where count > 5
| sort - countRDP Login from External IP Followed by Lateral Movement — Chain detection for RDP-based initial access:
index=windows EventCode=4624 Logon_Type=10
src_ip!=10.0.0.0/8 src_ip!=172.16.0.0/12
| join ComputerName [search index=windows EventCode=4624 Logon_Type=3
| stats count as lateral_count dc(ComputerName) as systems_touched
values(ComputerName) as lateral_targets by Account_Name
| where lateral_count > 3]
| stats count values(src_ip) as external_ips
values(lateral_targets) as lateral_systems by Account_Name
| sort - countKnown Threat Actors
| Threat Actor | Remote Service | Notable Detail |
|---|---|---|
| Volt Typhoon (China) | VPN | U.S. critical infrastructure; months-long persistence via VPN (CISA AA24-038A) |
| APT29 / Cozy Bear (SVR) | VPN, Citrix | SolarWinds campaign; COVID-19 vaccine research targeting via VPN |
| Sandworm / APT44 (GRU) | SSH, VPN, Tor hidden service | Ukraine grid attacks; BadPilot/ShadowLink Tor persistence (2025) |
| APT28 / Fancy Bear (GRU) | VPN | Global brute force campaign via Tor and commercial VPNs |
| Scattered Spider | VPN, Citrix | Telecom/BPO intrusions; social engineering + VPN persistence |
| LAPSUS$ | VPN, RDP, Citrix VDI | High-profile breaches via internet-facing remote services |
| Akira | VPN | 39% of Q3 2025 ransomware; credential stuffing against VPN |
| Play | RDP, VPN | CISA AA23-352A; initial access via RDP and VPN services |
| Wizard Spider (Ryuk/Conti) | VPN | Stolen credentials to access corporate VPN infrastructure |
| GOLD SOUTHFIELD (REvil) | RDP | Publicly accessible RDP and remote management servers |
| Velvet Ant (China) | Remote services | F5 load balancer abuse for persistence (Sygnia, 2024) |
| TeamTNT | Docker API, Kubernetes | Exposed container APIs; Weave Scope for Docker access |
| Chimera | VPN, Citrix, SSH | Taiwan semiconductor targeting via legitimate remote services |
| Ember Bear (GRU) | VPN | U.S. and global critical infrastructure; VPN for access + persistence |
| OilRig / APT34 (Iran) | VPN, Citrix, OWA | Middle East targeting; VPN persistence across campaigns |
Defensive Recommendations
1. Enforce Multi-Factor Authentication on All Remote Services
MFA on every external remote access point — VPN, RDP, SSH, Citrix, OWA — is the single most impactful mitigation for T1133. Stolen credentials become useless without the second factor. Use phishing-resistant MFA (FIDO2/WebAuthn hardware keys) rather than SMS or app-based OTP where possible, as adversaries increasingly intercept MFA tokens (see T1111 Multi-Factor Authentication Interception). Be aware that VPN vulnerabilities like SonicWall's CVE-2024-53704 can bypass MFA entirely through session hijacking, so MFA must be combined with other controls.
2. Patch VPN and Edge Appliances Within 24–48 Hours
VPN appliances are the highest-priority patching target in enterprise environments. Zero-day exploitation of Ivanti, SonicWall, Fortinet, and Cisco VPN products in 2024–2025 demonstrates that adversaries weaponize VPN vulnerabilities within days of disclosure. Monitor vendor security advisories and CISA's Known Exploited Vulnerabilities catalog. When patching is not immediately possible, apply vendor-recommended mitigations and consider temporarily restricting VPN access to known IP ranges.
3. Implement Network Segmentation Behind Remote Access
VPNs should not grant users broad network access. Segment the network so that VPN users can only reach the specific resources they need, not the entire internal network. Use micro-segmentation to prevent lateral movement even after successful VPN authentication. This limits the blast radius of a compromised credential from full network access to a narrow set of authorized applications.
4. Disable Unnecessary Remote Services
Audit all internet-facing services and disable any that are not required. Close RDP to the internet (use VPN or jump hosts instead). Secure or remove exposed Docker APIs, Kubernetes dashboards, and container management interfaces. Disable WinRM and VNC on systems that don't require remote management. Every exposed service is an attack surface that must be monitored, patched, and defended.
5. Monitor for Credential-Based Anomalies
Deploy behavioral analytics to detect credential abuse against remote services. Alert on impossible travel (logins from distant locations within short timeframes), concurrent sessions from different IP addresses, logins outside business hours, access from known VPN/proxy/Tor infrastructure, and sudden spikes in failed authentication attempts. Correlate VPN login events with subsequent internal activity to detect the full attack chain.
6. Block Tor Traffic and Known Malicious Infrastructure
Restrict traffic to and from public Tor exit nodes to prevent Tor-based brute force attacks and ShadowLink-style hidden service persistence. CISA recommends blocking Tor traffic at network boundaries. Monitor for Tor client installation on endpoints, which may indicate adversary persistence via hidden services. Additionally, maintain blocklists of known bulletproof hosting providers and infrastructure associated with credential-stuffing operations.
7. Evaluate Zero Trust Network Access (ZTNA) Alternatives
Consider replacing traditional VPNs with ZTNA solutions that provide application-level access based on identity and device posture rather than network-level access. ZTNA eliminates the broad network access that makes VPN compromise so dangerous, enforcing least-privilege access for every session. 65% of enterprises intend to replace their VPNs within a year according to Zscaler's 2025 survey, driven by the accumulating VPN vulnerability and breach data.
8. Secure Container Management Interfaces
Never expose Docker API, Kubernetes API server, kubelets, or container management dashboards to the internet without authentication. Use network policies to restrict access to container management planes to authorized internal IPs only. Enable audit logging for all container orchestration commands. Regularly scan for accidentally exposed container services using external attack surface management tools.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1133 |
| Name | External Remote Services |
| Tactics | Initial Access (TA0001), Persistence (TA0003) |
| Sub-Techniques | None |
| Platforms | Containers, Linux, Windows, macOS |
| Version | 2.5 (Last Modified October 2025) |
| Data Sources | Application Log: Authentication Log, Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow |
| Mitigations | M1042 Disable or Remove Feature or Program, M1035 Limit Access to Resource Over Network, M1032 Multi-factor Authentication, M1030 Network Segmentation, M1021 Restrict Web-Based Content |
| Related Techniques | T1078 Valid Accounts, T1021 Remote Services, T1190 Exploit Public-Facing Application, T1111 Multi-Factor Authentication Interception |
Sources and References
This article draws on vendor threat intelligence, government advisories, and industry research. All referenced sources are publicly available.
- Beazley Security — Quarterly Threat Report Q3 2025: Compromised VPN Credentials Leading Attack Vector: hipaajournal.com
- GreyNoise — State of the Edge: 2.97 Billion Malicious Sessions Targeting Edge Infrastructure (H2 2025): helpnetsecurity.com
- Zscaler ThreatLabz — 2025 VPN Risk Report: zscaler.com
- Cybersecurity Insiders — VPN Exposure Report 2025: cybersecurity-insiders.com
- CISA/FBI/Five Eyes — Ivanti Connect Secure Advisory (AA24-060B): cisa.gov
- CISA — PRC State-Sponsored Actors Compromise U.S. Critical Infrastructure (AA24-038A): cisa.gov
- CISA — Russian Military Cyber Actors Target Global Critical Infrastructure (AA24-249A): cisa.gov
- Microsoft — The BadPilot Campaign: Seashell Blizzard Subgroup (February 2025): microsoft.com
- SOCRadar — Top 10 CVEs of 2025: socradar.io
- MITRE ATT&CK — T1133 External Remote Services (v18, October 2025): attack.mitre.org