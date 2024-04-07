A report by Sophos, a global leader of innovative security solutions that deals with cyberattacks, has revealed that cybercriminals abused remote desktop protocol (RDP) – a common method for establishing remote access on Windows systems – in 90 per cent of attacks. The report, the Active Adversary analysis, “It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024”, analysed more than 150 incident response (IR) cases handled by the Sophos X-Ops IR team in 2023.

This was the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021, covering data from 2020. In addition, external remote services such as RDP were the most common vector by which attackers initially breached networks; they were the method of initial access in 65 per cent of IR cases in 2023. External remote services have consistently been the most frequent source of initial access for cybercriminals since the Active Adversary reports were launched in 2020, and defenders should consider this a clear sign to prioritize the management of these services when assessing risk to the enterprise. “External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond them. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise.

It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side,” said John Shier, field CTO, Sophos. In one of Sophos’ X-Ops customer case, attackers successfully compromised the victim four times within six months, each time gaining initial access through the customer’s exposed RDP ports. Once inside, the attackers continued to move laterally throughout the customer’s networks, downloading malicious binaries, disabling endpoint protection, and establishing remote access. Compromised credentials and exploiting vulnerabilities are still the two most common root causes of attacks. However, the 2023 Active Adversary Report for Tech Leaders, released last August, found that in the first half of that year, for the first time, compromised credentials surpassed vulnerabilities as the most frequent root cause of attacks.