Background

In May 2024, mnemonic responded to an incident involving adversary use of VS Code's remote development extensions.

The misuse of this technique has recently been observed in a cyber espionage context, but has not been previously linked to what we assess is cybercrime activity.

The technique has been theorised previously, but reports of it being utilised in the wild are limited to these two instances.

Threat Intelligence assessment

We recently observed this technique used in the wild by a threat actor likely attempting to gain foothold on a domain controller. We have not been able to ascertain the threat actor's goal in this specific incident, but we assess that this was possibly performed by an initial access broker (IAB).

This assessment is based on the tactics, techniques, and procedures (TTPs) used by the threat actor.

The threat actor used approximately three hours to execute their attack chain.

Recommendations

We strongly advise to configure and deploy the set of Group Policy Objects (GPOs) described by Microsoft. The following policies are supported:

  • Disable anonymous tunnel access
  • Disable tunnel access in general
  • Only allow tunnel access from specific Microsoft Entra tenant IDs

On a network level, access can be blocked by dropping or blocking outbound access to global.rel.tunnels.api.visualstudio.com.

mnemonic also recommends searching for any suspicious services initiating code.exe on servers where it should not be running, such as on domain controllers.

In addition, mnemonic recommends monitoring for network traffic directed towards global.rel.tunnels.api.visualstudio.com from servers or network zones that should not be communicating with this service.

Detection coverage for Argus MDR customers

We have deployed detection to all Argus MDR customers based on the abovementioned incident and are continuously monitoring the situation to develop additional detection logic.