TL;DR: The FBI says First VPN Service was used by at least 25 ransomware groups for reconnaissance, credential attacks, remote intrusion, and denial-of-service activity, underscoring how visible remote access infrastructure still fuels initial access and discovery. Exposing the access path remains a governance failure, because attackers can target what they can see before authentication or segmentation ever matters.
At a glance
What this is: This is an analysis of why exposed remote access infrastructure remains an entry point for modern attackers, and why concealment can be as important as authentication.
Why it matters: It matters because IAM, PAM, and NHI teams still overestimate the protection value of controls that harden access without reducing exposure, leaving discoverable services open to credential abuse and reconnaissance.
By the numbers:
- The service had been used by at least 25 ransomware groups to support malicious activity.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
👉 Read Appgate's analysis of Single Packet Authorization and remote access exposure
Context
Remote access security fails when the service itself remains easy to find. VPNs, gateways, and other externally reachable entry points can be hardened with MFA and allowlists, but they still advertise that access exists, which gives attackers a target for scanning, credential abuse, and reconnaissance.
The article’s core point is not that one criminal infrastructure service was taken down. It is that the visibility of remote access infrastructure remains a structural problem for identity governance, because defenders often secure the login while leaving the door discoverable.
Key questions
Q: How should security teams reduce exposure in remote access infrastructure?
A: Start by inventorying every internet-facing access path and identifying which services reveal themselves before authentication. Then reduce discoverability with access cloaking or equivalent controls, while keeping MFA, segmentation, and device trust in place. The goal is to make scanning and reconnaissance fail early, not merely make logins harder.
Q: Why do visible VPN gateways remain attractive to attackers?
A: Visible VPN gateways help attackers because they can be scanned, fingerprinted, and targeted for credential attacks before defenders see meaningful compromise. A reachable login path gives adversaries a place to focus reconnaissance, and that early visibility often matters more than the strength of the password prompt itself.
Q: What breaks when source-IP allowlisting is used as the main trust signal?
A: Source-IP allowlisting breaks when attackers use dynamically assigned infrastructure, proxies, or stolen credentials that make the origin look legitimate. IP reputation can change after reassignment, so the control becomes brittle. Identity-aware policy is more durable because it ties access to authenticated context, not network location.
Q: Who is accountable for exposing remote access services to the internet?
A: Security and infrastructure teams share accountability when remote access services remain publicly discoverable without a clear business need. IAM, PAM, and network owners should jointly review whether the exposed service is necessary, what it reveals to unauthorised users, and which controls justify that exposure.
Technical breakdown
Why exposed remote access becomes a discovery problem
When a VPN or remote access gateway is internet-facing, it becomes part of an attacker’s discovery workflow. Even if the service is well configured, it can still reveal protocol responses, timing, error patterns, and the existence of a reachable login path. That gives adversaries a low-cost way to map the environment before they attempt credential attacks or exploit chains. In MITRE ATT&CK terms, discovery and valid account abuse often start before any payload is delivered. The issue is not only authentication weakness. It is the fact that the access surface is visible enough to be profiled in the first place.
Practical implication: reduce discoverability of remote access services before adding more login friction.
How single packet authorization changes the exposure model
Single packet authorization changes the sequence of events. A protected service does not present a normal, reusable access path until a cryptographically valid authorization packet is received. That means the system can withhold the ordinary handshake that scanners, bots, and opportunistic attackers depend on. In practice, SPA is an exposure control, not just an authentication control. It limits the amount of information unauthorised parties can gather from the network edge and raises the cost of reconnaissance against remote access infrastructure.
Practical implication: treat access cloaking as a control layer alongside MFA and segmentation, not as a replacement for them.
Why IP-based blocking is too brittle for modern abuse
The FBI notes that threat actors use dynamically assigned VPN infrastructure, which makes IP reputation and static blocklists less reliable. If a malicious endpoint can later be reassigned to legitimate traffic, the defender’s trust in source address becomes fragile. This is a reminder that identity and policy must be tied to authenticated context rather than assumed network origin. A remote access decision based mainly on source IP is weak against adversaries that rotate infrastructure, proxy through intermediaries, or blend into common traffic patterns.
Practical implication: anchor access decisions in identity, device, and entitlement rather than source IP alone.
Threat narrative
Attacker objective: The attacker wants a reachable, low-friction path into enterprise environments that can be reused for reconnaissance, intrusion, and follow-on abuse without standing out.
- Entry begins with visible remote access infrastructure that can be scanned, probed, and profiled before authentication is attempted.
- Escalation follows when attackers use valid accounts, credential attacks, or anonymized infrastructure to blend into normal traffic and gain footholds.
- Impact comes when the same access paths support reconnaissance, intrusion, lateral movement, and denial-of-service operations at scale.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- SonicWall VPN Mass Breach via Stolen Credentials — Stolen credentials enable mass compromise of SonicWall VPN accounts across enterprise environments.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Exposed access is the real governance failure, not weak authentication alone. MFA, segmentation, and device trust still matter, but they do not solve the fact that a public remote access service can be enumerated and profiled before any control is challenged. That means the attacker’s first win is often discovery, not compromise. Practitioners should read this as a perimeter-exposure problem, not a login problem.
Identity controls that assume the access path is already known are incomplete. Remote access governance often starts at the authentication step, but modern attackers build their kill chain one exposed service at a time. If the service is visible, the environment has already accepted an unnecessary risk surface. The implication is that visibility itself must be treated as part of the access model.
Hidden access paths create a narrower and more defensible trust boundary. Single packet authorization matters because it changes what unauthorised users can observe, not just what they can reach. That reduces the value of reconnaissance and makes remote access less attractive to opportunistic criminal infrastructure. The implication is a shift from hardening exposed access to minimizing exposure before access exists.
Remote access infrastructure should be governed like a high-value identity surface. In practice, VPN gateways and adjacent remote access services have become identity infrastructure, because they mediate authentication, device trust, entitlement checks, and session visibility. That should move them into the same governance conversations as privileged access, not leave them in a network-only lane. Practitioners should align remote access controls with identity governance, not just network perimeter operations.
From our research:
- The service had been used by at least 25 ransomware groups to support malicious activity, according to 52 NHI Breaches Analysis.
- Overprivileged AI systems show a 76% incident rate versus 17% for least-privileged systems, a 59-point spread that shows how quickly excessive access turns into security failure.
- For a wider view of recurring identity failure patterns, see Top 10 NHI Issues for the governance gaps that keep reappearing.
What this signals
Exposure control is becoming a first-class identity control. As remote access services remain public targets, practitioners should expect the boundary between IAM and network security to keep narrowing. The more a gateway behaves like identity infrastructure, the more it belongs in access review, privileged access, and lifecycle governance conversations, not only in firewall operations.
Identity visibility will matter as much as credential strength. When attackers can enumerate services before they authenticate, the programme is already accepting unnecessary attack surface. That is why exposure reduction, not just stronger login policy, should enter the same decision set as segmentation and session logging.
With 70% of organisations already granting AI systems more access than human employees, per the 2026 Infrastructure Identity Survey, the broader pattern is clear: access is still being expanded faster than it is being governed. That same habit shows up in exposed remote access, where convenience outruns control.
For practitioners
- Map every externally reachable remote access service Inventory VPNs, gateways, admin portals, and other access paths that answer internet probes. Classify each one by visibility, authentication strength, and whether it reveals useful reconnaissance signals before login. Use that inventory to drive remediation priorities, not just firewall rules.
- Reduce service discoverability before tightening login controls Where possible, use access cloaking, Single Packet Authorization, or equivalent exposure-reduction patterns so scanners cannot learn that a protected service exists. Keep MFA and device trust in place, but do not rely on them as the only barrier.
- Replace source-IP trust with identity-aware policy Stop using IP allowlists as the main proof of legitimacy for remote access. Bind authorization to authenticated identity, device posture, and entitlement scope so dynamically reassigned infrastructure or proxied traffic does not inherit trust.
- Move remote access into privileged access governance Treat remote access gateways as part of PAM and identity governance reviews. Recertify who can reach them, what they can reach after login, and whether broad network visibility is still justified for each role.
Key takeaways
- The core issue is not just credential strength, but the fact that public remote access services remain easy to find and target.
- The FBI’s advisory shows a repeatable attack pattern, with at least 25 ransomware groups abusing one access service for reconnaissance and intrusion.
- Security teams should pair MFA and segmentation with exposure reduction, because hiding the access path changes the attacker’s economics.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Remote access exposure and credential abuse map directly to NHI credential and access governance. |
| MITRE ATT&CK | TA0007 , Discovery; TA0006 , Credential Access; TA0008 , Lateral Movement | The article tracks attacker discovery, valid account use, and follow-on movement. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and policy-based authorisation are central to the control model. |
| NIST Zero Trust (SP 800-207) | Section 3.1 | The piece argues for reduced exposure and explicit access verification at the boundary. |
| NIST SP 800-53 Rev 5 | AC-17 | Remote access control is directly implicated by the article's remote infrastructure focus. |
Align remote access entitlements to PR.AC-4 and remove broad access that is not operationally required.
Key terms
- Exposure Reduction: Exposure reduction is the practice of making a service harder to discover and probe before any access decision is made. In identity security, it shifts attention from only verifying who is asking to also limiting what unauthorised parties can see, fingerprint, or repeatedly test.
- Single Packet Authorization: Single Packet Authorization is an access pattern where a protected service stays hidden from ordinary connection attempts until it receives a valid cryptographic request. It changes remote access from an always-visible gate to a concealed entry point that only reveals itself after authorization succeeds.
- Remote Access Gateway: A remote access gateway is an externally reachable control point that brokers user or system access into internal resources. In IAM terms, it becomes a critical identity surface because it mediates authentication, policy enforcement, and the visibility of protected applications.
- Identity-Aware Policy: Identity-aware policy authorises access using authenticated identity, device context, and entitlement scope instead of trusting the network location alone. This matters when attackers can proxy traffic, rotate infrastructure, or reuse valid credentials against services that are still publicly reachable.
What's in the full article
Appgate's full analysis covers the operational detail this post intentionally leaves for the source:
- How Single Packet Authorization is implemented in AppGate ZTNA for protected resources.
- The difference between cloaking modes and ordinary TCP listener visibility in practice.
- The white paper's control layering model for combining SPA, MFA, device trust, and entitlements.
- Why the vendor argues exposure reduction changes the reconnaissance stage of the attack chain.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org