SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Report finds 90% of cyber attacks in 2023 exploited RDP

Thu, 11th Apr 2024

Sophos, the cyber security solutions firm, has revealed in its latest Active Adversary analysis that Remote Desktop Protocol (RDP) was abused in 90% of attack cases it handled during 2023. The report's findings are based on more than 150 incident response cases managed by the Sophos X-Ops incident response team from 26 different sectors in 23 countries worldwide, offering a broad lens on the global cyberattack landscape.

External remote services such as RDP, which is widely used to establish remote access on Windows systems, were found to be the primary vector utilised for initial network breaches, being traced as the source in 65% of incidents. This marks the highest prevalence of RDP abuse since the Active Adversary report series was initiated by Sophos in 2020. The services have consistently topped the list of initial access points for cybercriminals each year since then, exceeding even compromised login credentials and vulnerabilities.

John Shier, Field CTO at Sophos, said: "External remote services are a necessary, but risky, requirement for many businesses. It doesn't take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond."

The report detailed one instance where attackers infiltrated a customer's networks four times over a six-month period through exposed RDP ports. Having gained access, they proceeded to move laterally across the networks, downloaded malicious binaries, disabled endpoint protection, and established remote access.

Despite increasing scrutiny placed on managing and protecting login credentials, compromised credentials were found to be the root cause of over half of the incident response cases in the whole of 2023, surpassing other modes like vulnerabilities. The issue is glaring, as it was revealed that in 43% of the cases, the affected organisations did not have multi-factor authentication in place.

Exploiting vulnerabilities came second, however, accounting for the root causes of attacks in 16% of incident response cases in 2023 and 30% cumulatively over the four years from 2020 through to 2023.

Shier emphasised that managing risk is a proactive process, and one of the starting points in ramping up security measures is identifying and acting on potential threats. Still, he warned that risks such as open RDP continue to plague organisations, creating a doorway for attackers. "Securing the network by reducing exposed and vulnerable services and hardening authentication will make organisations more secure overall and better able to defeat cyberattacks," he said.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X