90% of Cyber Attacks Exploited Remote Desktop Protocol in 2023- Report

John Shier, field CTO, Sophos.

Sophos‘ active adversary analysis has found that a majority of cybercriminals abused remote desktop protocol [RDP]—a common method for establishing remote access on Windows systems—in 90% of attacks.

The report, titled “It’s Oh So Quiet [?]: The Sophos Active Adversary Report for 1H 2024” analyzes more than 150 incident response cases handled by the Sophos X-Ops IR team in 2023.

This was the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021, covering data from 2020.

In addition, external remote services such as RDP were the most common vector by which attackers initially breached networks; they were the method of initial access in 65% of IR cases in 2023.

External remote services have consistently been the most frequent source of initial access for cybercriminals since the Active Adversary reports were launched in 2020, and defenders should consider this a clear sign to prioritize the management of these services when assessing risk to the enterprise.

“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise,” said John Shier, field CTO, Sophos.

Read Also: 2024 Sophos Threat Report Reveals Data and Credential Theft as Top Threats to Firms

He added that It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.

In one Sophos X-Ops customer case, attackers successfully compromised the victim four times within six months, each time gaining initial access through the customer’s exposed RDP ports.

Once inside, the attackers continued to move laterally throughout the customer’s networks, downloading malicious binaries, disabling endpoint protection, and establishing remote access.

Compromised credentials and exploiting vulnerabilities are still the two most common root causes of attacks. However, the 2023 Active Adversary Report for Tech Leaders, released last August, found that in the first half of that year, for the first time, compromised credentials surpassed vulnerabilities as the most frequent root cause of attacks.

This trend continued through the rest of 2023, with compromised credentials representing the root cause of over 50% of IR cases for the entire year.

Remote Desktop Protocol

When looking at Active Adversary data cumulatively over the years from 2020 through 2023, compromised credentials were also the number one “all-time” root cause of attacks, involved in nearly a third of all IR cases.

Yet despite the historical prevalence of compromised credentials in cyberattacks, in 43% of IR cases in 2023, organizations did not have multi-factor-authentication configured.

Exploiting vulnerabilities was the second most common root cause of attacks, both in 2023 and when analyzing data cumulatively from 2020 through 2023, accounting for the root cause in 16% and 30% of IR cases, respectively.

“Managing risk is an active process. Organizations that do this well experience better security situations than those that don’t in the face of continuous threats from determined attackers.

An important aspect of managing security risks, beyond identifying and prioritizing them, is acting on the information.

Yet, for far too long, certain risks such as open RDP continue to plague organizations, to the delight of attackers who can walk right through the front door of an organization.

Securing the network by reducing exposed and vulnerable services and hardening authentication will make organizations more secure overall and better able to defeat cyberattacks,” said Shier.

The Sophos Active Adversary Report for 1H 2024 is based on more than 150 incident response [IR] investigations spanning the globe across 26 sectors.

Targeted organizations are located in 23 different countries, including the United States, Canada, Mexico, Colombia, the United Kingdom, Sweden, Switzerland, Spain, Germany, Poland, Italy, Austria, Belgium, the Philippines, Singapore, Malaysia, India, Australia, Kuwait, the United Arab Emirates, Saudi Arabia, South Africa, and Botswana.

Leave a Reply

Your email address will not be published. Required fields are marked *

Next Post

Agilitee in Joint Venture With PT Valencia for Electric Vehicles in Indonesia

Tue Apr 16 , 2024
Share on Facebook Tweet it Share on Reddit Pin it Share it Email Agilitee, Africa’s top producer of electric vehicles, has announced entry into Indonesia through a deal with PT Valencia Utama Group, a Jakarta based group of companies. This partnership, which aims to promote innovation, sustainability, and regional economic […]

You May Also Like

Chief Editor

Jacktone Lawi

Meet Jacktone Lawi, a seasoned technology journalist with years of experience in the industry. I have developed my passion for technology during my formative years, which has been instrumental in shaping my career trajectory. My expertise lies in reporting on emerging technologies and their impact on businesses and consumers worldwide. Through my experience I’m well-versed in covering topics such as artificial intelligence, blockchain, cybersecurity, cloud computing, and digital transformation, among others. Throughout my career, I have has demonstrated an exceptional ability to distill complex technical information into accessible and engaging content that resonates with my readers. My writing style is clear, concise, and informative, allowing me to communicate even the most technical concepts to a broad audience. Beyond my writing skills, I have also become known for extensive network of industry contacts and ability to secure exclusive interviews with high-profile figures in the technology world. These connections have enabled me to gain unique insights into the latest trends and developments in the field, giving me a competitive edge in my reporting. In addition to my work as a journalist, I’m also actively engaged in the broader technology community. Where I regularly attend conferences and events, share insights and stays up-to-date on the latest innovations in the industry. Overall, my wealth of experience as a technology journalist have given me a deep understanding of the industry and its impact on society.

Quick Links