According to the Active Adversary Report by Sophos In 2023, cybercriminals exploited remote desktop protocol (RDP) in 90% of attacks, the highest percentage ever recorded. The report “It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024” analyzed more than 150 incident responses (IRs) managed by the Sophos X-Ops team in 202.
The criminal exploitation of the RDP protocol
External remote services such as RDP were also introduced vector most common way attackers were able to breach networks, representing the initial access route in 65% of IR cases in 2023. External remote services appear as the most frequent initial access method since the first Active Adversary report published. Those who defend themselves should consider this fact as a sign of the need to prioritize the management of these services in the assessment of corporate risks.
Don’t leave “doors open” to criminals
John Shier, field Cto di Sophos
External remote services are a necessary requirement for many companies but risky. Cybercriminals are well aware of the dangers these services pose and actively try to exploit them to collect the reward they promise. Keeping services exposed without adequate precautions and techniques for mitigating the related risks inevitably leads to IT breaches. It doesn’t take long for an attacker to find and compromise an exposed RDP server. Without additional checks, not even the Active Directory server waiting for him on the other side.”
The RDP protocol
In the case of a Sophos Once inside the network the attackers continued to move laterally. Thus downloading dangerous executables, disabling the protections endpoints and establishing your remote access capabilities.
The main causes of attack
Compromised credentials e exploitation vulnerabilities are still the two most common primary causes of attacks. However, the 2023 Active Adversary Report for Tech Leaders found that in the first half of 2023, compromised credentials had overtaken vulnerabilities as the primary cause of attack for the first time. This trend continued into the rest of the year, when credentials were compromised represented the primary cause of over 50% of IR cases for the entire year.
The role of multi-factor authentication
Looking at cumulative data collected from Active Adversary reports from 2020 to 2023, compromised credentials are also the single largest root cause of attacks ever. In fact, they concern almost a third of all IR cases. Yet, despite the prevalence history of this technique, multi-factor authentication continued to be absent in 43% of IR cases in 2023. Exploiting vulnerabilities was the second primary cause of attacks both in 2023 and in the cumulative period from 2020 to 2023, respectively responsible for 16 % and 30% of IR cases.
Criminal exploitation of the RDP protocol is growing
John Shier, field Cto di Sophos
Risk management is an active process. When faced with determined cybercriminals and their constant threats, companies that get it right are better off than those that don’t. An important aspect of managing security risks, in addition to their identification and prioritization, concerns the ability to act on the information collected.Yet certain risks such as open RDP services have continued to leave businesses vulnerable for too long. This is for the happiness of the attackers who can enter through the front door. To protect the network by reducing exposed and vulnerable services and strengthening authentication techniques increases overall security. It also allows you to better respond to cyberattacks.