VSCode Remote Tunnels, a legitimate feature of the popular development environment, are increasingly being used by malicious actors.This feature allows developers to remotely access their local coding environment, which promotes engagement and flexibility.Using this feature, malicious actors install files or scripts that install the VSCode CLI and create a remote tunnel without the user’s awareness.This allows attackers illegal access to the developer’s device, enabling them to steal confidential data, deploy malware, and move laterally over the network.**`Investigate Real-World Malicious Links & Phishing Attacks With `**Threat Intelligence Lookup**` – `[Try for Free](https://intelligence.any.run/plans?utm_source=linkedin_csn&utm_medium=post&utm_campaign=baner_jan&utm_content=plans&utm_term=150125)****How VSCode Tunnels Are Being Abused By Threat Actors?**———————————————————According to On the Hunt’s [blog post](https://newtonpaul.com/vscode-remote-tunnels-abuse-and-detections/), the malicious LNK file that is initially delivered includes a PowerShell command that allows the user to download and execute a Python script from a remote IP address.The VSCode CLI binary, code-insiders.exe, is downloaded and executed by a Python script. A Python script uses the CLI binaries against Github to generate and authenticate a [VSCode tunnel](https://cybersecuritynews.com/hackers-visual-studio-code-remote-access/). .webp) The Attack ChainA remote tunnel for VSCode is created and the threat actor uses the tunnel created via a web browser to execute commands on a Python payload. .webp) Python Script sets up the tunnelTo authenticate to VSCode without utilizing the attacker’s GitHub account, the connect to tunnel button is pressed. .webp) Connecting to tunnelOnce verified with the account, a list of remote hosts with active tunnels can be observed. Selecting the online victim host will connect to the VSCode remote tunnel running on that host.This now makes traversing directories on the victim’s remote computer possible. Additionally, it is also possible to create new files or scripts and run them remotely.It is advisable for organizations to restrict access to remote tunnels to their own tenants. If it’s not feasible, tunnel use within the estate should be prohibited, or measures to prevent their misuse should be implemented.Therefore, companies may safeguard their sensitive data and protect the integrity of their development environments by taking proactive measures to combat this new threat.**Integrating Application Security into Your CI/CD Workflows Using Jenkins -& Jira –> [Free Webinar](https://webinars.indusface.com/agile-security-workflows-devsecops-hacks-for-ci-cd-pipeline/register?utm_source=gbhackers-blog-cta&utm_campaign=2025-jan-webinar-agile-security&utm_medium=referral)**
The post [Hackers Abusing Microsoft VSCode Remote Tunnels To Bypass Security Tools](https://cybersecuritynews.com/hackers-abusing-microsoft-vscode-remote-tunnels/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 561 – Administrative And Support Services
NAICS: 81 – Other Services (except Public Administration)
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
NAICS: 813 – Religious
Grantmaking
Civic
Professional Services
Similar Services
Blog: Cybersecurity News
Phishing
Associated Indicators: