RDP abused in over 90% of cyber attacks, Sophos finds

Threat actors continue to see great success using simple, tried and tested methods, and many defenders are failing to do the basics

Threat actors are abusing the widely used Windows remote desktop protocol (RDP) remote access feature in their attack chains at a rate unprecedented since the Covid-19 pandemic, according to analysis released by Sophos in its latest Active adversary report, which explores over 150 incident response cases to which its X-Ops team responded during 2023.

It said it saw RDP exploitation occur in 90% of cases last year, the highest rate seen since the 2021 report, covering data from 2020, the pandemic’s height.

In one incident, attackers successfully compromised the victim no less than four times over a six-month period, in each case gaining initial access through exposed RDP ports – which was also the most common vector via which attackers breached networks, found in 65% of the documented cases.

Once inside the victim’s network, the attackers continued to move laterally through their network, downloading malicious binaries, turning off cyber security tools that were protecting their endpoints and establishing remote control. “External remote services are a necessary, but risky, requirement for many businesses,” said Sophos field chief technology officer John Shier. “Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond.

“Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise,” he added. “It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”

Shier said an important aspect of risk management – beyond mere identification and prioritisation – was acting on available information, and yet risks such as exposed RDP ports continue to plague victims “to the delight of attackers”, suggesting too many organisations are simply not paying attention.

“Managing risk is an active process,” said Shier. “Organisations that do this well experience better security situations than those that don’t in the face of continuous threats from determined attackers ... Securing the network by reducing exposed and vulnerable services and hardening authentication will make organisations more secure overall, and better able to defeat cyber attacks.”

Read more about X-Ops’ work

  • According to new research from Sophos, small businesses are seeing a rise in threats such as remotely executed ransomware attacks, malvertising, driver abuse and more.
  • The disclosure of two dangerous vulnerabilities in the popular ConnectWise ScreenConnect product is drawing comparisons with major cyber incidents, including the 2021 Kaseya attack.
  • Ransomware gangs are increasingly media-savvy operators, and this means incident response plans now need to account for communications and PR strategies too.

The latest edition of the ongoing Active adversary series also revealed that while the exploitation of vulnerabilities and the use of compromised credentials are the most common root causes of cyber attacks, the use of stolen credentials has become more widespread, and is now seen in over 50% of incident response cases – exploitation of vulnerabilities accounted for another 30%.

Shier said this was a particular concern given that in 43% of cases, organisations did not have multi-factor authentication (MFA) configured properly or at all.

Other less common root causes observed by Sophos included brute force attacks (3.9% of cases), phishing (3.3%) and supply chain compromise (2.6%). In 13.6% of cases, it was not possible to identify the root cause.

Cyber pros must do more

Looking back on the 2023 data, Shier wrote that given the majority of compromises arise from just three key issues – exposed RDP ports, lack of MFA and unpatched servers – and the relative ease of addressing all three of these problems, he was left with a feeling that not enough was being done to protect organisations from harm, and that while some had the necessary protections in place, few were really paying attention to security.

“Often, the sole differences between organisations that are breached and those that aren’t are, one, the preparation entailed by selecting and putting the proper tools in place; and, two, the knowledge and readiness to act when required,” he wrote.

“Unfortunately we are also still seeing the same mistakes being made by defenders every year. It’s with this in mind that we think organisations need to urgently participate in their own rescue,” continued Shier.

“No industry, product or paradigm is perfect, but we’re still fighting yesterday’s battles with, too often, the day before yesterday’s weaponry. Most of the tools and techniques described in this report have solutions, or at the very least, mitigations, to limit their harm, but defences are simply not keeping up.”

Wrapping up the report, he said it could be tempting for cyber pros to succumb to anger at all-too-frequent and avoidable failures. “We say, don’t look back in anger, look forward to how you can make positive change today for a better tomorrow,” said Shier.

Read more on Hackers and cybercrime prevention

Data Center
Data Management