Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Remote access exposure: is your access path still too visible?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: The FBI says First VPN Service was used by at least 25 ransomware groups for reconnaissance, credential attacks, remote intrusion, and denial-of-service activity, underscoring how visible remote access infrastructure still fuels initial access and discovery. Exposing the access path remains a governance failure, because attackers can target what they can see before authentication or segmentation ever matters.

NHIMG editorial — based on content published by Appgate: the FBI's advisory on First VPN Service and remote access exposure

By the numbers:

Questions worth separating out

Q: How should security teams reduce exposure in remote access infrastructure?

A: Start by inventorying every internet-facing access path and identifying which services reveal themselves before authentication.

Q: Why do visible VPN gateways remain attractive to attackers?

A: Visible VPN gateways help attackers because they can be scanned, fingerprinted, and targeted for credential attacks before defenders see meaningful compromise.

Q: What breaks when source-IP allowlisting is used as the main trust signal?

A: Source-IP allowlisting breaks when attackers use dynamically assigned infrastructure, proxies, or stolen credentials that make the origin look legitimate.

Practitioner guidance

  • Map every externally reachable remote access service Inventory VPNs, gateways, admin portals, and other access paths that answer internet probes.
  • Reduce service discoverability before tightening login controls Where possible, use access cloaking, Single Packet Authorization, or equivalent exposure-reduction patterns so scanners cannot learn that a protected service exists.
  • Replace source-IP trust with identity-aware policy Stop using IP allowlists as the main proof of legitimacy for remote access.

What's in the full article

Appgate's full analysis covers the operational detail this post intentionally leaves for the source:

  • How Single Packet Authorization is implemented in AppGate ZTNA for protected resources.
  • The difference between cloaking modes and ordinary TCP listener visibility in practice.
  • The white paper's control layering model for combining SPA, MFA, device trust, and entitlements.
  • Why the vendor argues exposure reduction changes the reconnaissance stage of the attack chain.

👉 Read Appgate's analysis of Single Packet Authorization and remote access exposure →

Remote access exposure: is your access path still too visible?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Exposed access is the real governance failure, not weak authentication alone. MFA, segmentation, and device trust still matter, but they do not solve the fact that a public remote access service can be enumerated and profiled before any control is challenged. That means the attacker’s first win is often discovery, not compromise. Practitioners should read this as a perimeter-exposure problem, not a login problem.

A few things that frame the scale:

  • The service had been used by at least 25 ransomware groups to support malicious activity, according to 52 NHI Breaches Analysis.
  • Overprivileged AI systems show a 76% incident rate versus 17% for least-privileged systems, a 59-point spread that shows how quickly excessive access turns into security failure.

A question worth separating out:

Q: Who is accountable for exposing remote access services to the internet?

A: Security and infrastructure teams share accountability when remote access services remain publicly discoverable without a clear business need. IAM, PAM, and network owners should jointly review whether the exposed service is necessary, what it reveals to unauthorised users, and which controls justify that exposure.

👉 Read our full editorial: Remote access exposure and the case for hidden access paths



   
ReplyQuote
Share: