Microsoft VSCode Remote Tunnels

VSCode Remote Tunnels, a legitimate feature of the popular development environment, are increasingly being used by malicious actors.

This feature allows developers to remotely access their local coding environment, which promotes engagement and flexibility.

Using this feature, malicious actors install files or scripts that install the VSCode CLI and create a remote tunnel without the user’s awareness.

This allows attackers illegal access to the developer’s device, enabling them to steal confidential data, deploy malware, and move laterally over the network.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

How VSCode Tunnels Are Being Abused By Threat Actors?

According to On the Hunt’s blog post, the malicious LNK file that is initially delivered includes a PowerShell command that allows the user to download and execute a Python script from a remote IP address.

The VSCode CLI binary, code-insiders.exe, is downloaded and executed by a Python script. A Python script uses the CLI binaries against Github to generate and authenticate a VSCode tunnel

The Attack Chain

A remote tunnel for VSCode is created and the threat actor uses the tunnel created via a web browser to execute commands on a Python payload.

Python Script sets up the tunnel 

To authenticate to VSCode without utilizing the attacker’s GitHub account, the connect to tunnel button is pressed.

Connecting to tunnel

Once verified with the account, a list of remote hosts with active tunnels can be observed. Selecting the online victim host will connect to the VSCode remote tunnel running on that host. 

This now makes traversing directories on the victim’s remote computer possible. Additionally, it is also possible to create new files or scripts and run them remotely.

It is advisable for organizations to restrict access to remote tunnels to their own tenants. If it’s not feasible, tunnel use within the estate should be prohibited, or measures to prevent their misuse should be implemented. 

Therefore, companies may safeguard their sensitive data and protect the integrity of their development environments by taking proactive measures to combat this new threat.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Balaji N
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.