Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at Radical, and in this episode, we’ll be exploring how threat actors use VS Code remote tunnels and how you can go about detecting them before it’s too late.
RadBot Generated Text Summary
Introduction
Hey everyone, Josh Shepad here. Welcome to this edition of the Threat Hunters Corner. Today, we are diving into a critical topic: the use of Visual Studio Code (VS Code) remote tunnels for persistent remote access by nation-state threat actors. This issue has been highlighted by several cybersecurity vendors, including SentinelOne, Cybereason, and Palo Alto Networks' Unit 42, who have all reported that Chinese nation-state actors are leveraging this feature for malicious purposes.
Understanding VS Code Remote Tunnels
VS Code remote tunnels are a feature designed to allow developers to access a development environment remotely. This capability is intended to facilitate collaborative coding by enabling developers to work on remote assets seamlessly. Given its utility and the backing of Microsoft, VS Code has gained significant popularity across various sectors.
However, this same feature that aids developers can also be exploited by threat actors. If VS Code is already installed on a machine, attackers can use its remote tunnel capabilities to maintain persistent access without needing to introduce new tools, making it an attractive option for malicious activities.
Threat Hunting and Detection Strategies
Inverted Pyramid Approach
When searching for potentially malicious VSCode usage you can use an inverted pyramid approach:
Broad Detection: Initially, look for any evidence of VS Code usage. This will help develop your baseline of VS Code usage and ff VS Code is not used within your organization, consider blocking its installation to prevent potential misuse.
If VSCode is NOT used in your environment, consider blocking it’s installation or develop a borad analytic to detect ANY time it gets written to disk or executed
Focused Detection: If VS Code is in use but remote tunnels are not, search for any command-line arguments indicative of remote tunnel setup.
If remote tunnels are NOT used in your environment, consider killing VSCode processes that try to spawn one or develop detections to generate alerts anytime a tunnel is spawned.
Detailed Analysis: If both VS Code and its remote tunnels are in use, identify and monitor the assets these tunnels connect to. Ensure these connections are to known and approved assets.
Consider developing a list of approved assets that remote tunnels can connect to and flag and/or prevent any deviations.
Cross-Functional Communication
Effective threat hunting and mitigation require collaboration across various teams. Engage with your development leads and IT teams to understand the necessity and usage of VS Code and its features. This cross-functional communication is crucial for creating accurate baselines and implementing effective security measures that secure your environment with OUT hamstringing any of your engineering or IT staff.
Conclusion
In this week's Threat Hunters Corner, we explored the emerging trend of Chinese nation-state actors using VS Code remote tunnels for persistent remote access. By adopting an inverted pyramid approach, you can effectively hunt for, detect, and prevent such activities within your organization. Remember, understanding your baseline and maintaining open communication across teams are key to successful threat mitigation.
As always, if you have any questions, feel free to reach out. Stay safe out there, and we'll see you in the next episode.
No Comments Yet
Let us know what you think