‘Remote Desktop Protocol abuse behind 90% of attacks’

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 04 Apr 2024
John Shier, field CTO, Sophos.
John Shier, field CTO, Sophos.

Cyber criminals are increasingly abusing remote desktop protocol (RDP) – a common method for establishing remote access on Windows systems, according to Sophos.

In its latest Active Adversary analysis, It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024, the cyber security vendor found that cyber criminals abused RDP in 90% of attacks. The report is based in the analysis of more than 150 incident response (IR) cases handled by the Sophos X-Ops IR team in 2023. It includes IR cases from 23 countries, including South Africa.

This was the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021, covering data from 2020.

In 2023, external remote services like RDP were the most common vector used to breach networks, accounting for 65% of initial access for cyber criminals. Defenders should consider this a clear sign to prioritise the management of external remote services when assessing risk to the enterprise, the Sophos report stated.

John Shier, field CTO at Sophos, said, “External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn't take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”

The company stated that in one Sophos X-Ops customer case, attackers successfully compromised the victim four times within six months, each time gaining initial access through the customer’s exposed RDP ports.

Once inside, the attackers continued to move laterally throughout the customer’s networks, downloading malicious binaries, disabling endpoint protection, and establishing remote access.

Compromised credentials

Compromised credentials and exploiting vulnerabilities are still the two most common root causes of attacks. However, the 2023 Active Adversary Report for Tech Leaders, released last August, found that in the first half of that year, for the first time, compromised credentials surpassed vulnerabilities as the most frequent root cause of attacks.

This trend continued through the rest of 2023, with compromised credentials representing the root cause of over 50% of IR cases for the entire year.

When looking at Active Adversary data cumulatively over the years from 2020 through 2023, compromised credentials were also the number one ‘all-time’ root cause of attacks, involved in nearly a third of all IR cases. Yet despite the historical prevalence of compromised credentials in cyber attacks, in 43% of IR cases in 2023, organisations did not have multi-factor-authentication configured.

Exploiting vulnerabilities was the second most common root cause of attacks, both in 2023 and when analysing data cumulatively from 2020 through 2023, accounting for 16% and 30% of IR cases, respectively.

Shier said, “For far too long, certain risks such as open RDP continue to plague organisations, to the delight of attackers who can walk right through the front door of an organisation. Securing the network by reducing exposed and vulnerable services and hardening authentication will make organisations more secure overall and better able to defeat cyber attacks.”