Cybercriminals Abuse RDP Protocol in 9 out of 10 Attacks
Compromised credentials and exploited vulnerabilities are the most frequent source of attacks.
Sophos detects an unprecedented level of abuse of the RDP remote desktop protocol. According to the research “It’s all very quiet (?): The Sophos Active Adversary Report for the first half of 2024”, cybercriminals abuse the protocol in 90 % of attacks.
In the security company’s previous reports, this figure was not so high. Sophos is based on more than 150 incident response cases handled by the Sophos X-Ops IR team throughout 2023.
External remote services stand out as the method by which cybercriminals initially penetrate and breach networks. Meanwhile, compromised credentials and exploited vulnerabilities remain the most frequent source of attacks. It should be noted that enterprises still fail to set up multi-factor authentication in many cases.
“External remote services are a necessary, but risky, element for many businesses,” notes John Shier, CTO Field at Sophos. “Attackers know the risks posed by these services and actively seek to sabotage them because of the rewards behind them.
“Exposing services without special attention and risk mitigation inevitably leads to network compromise,” says Shier. “It doesn’t take an attacker long to find and breach an exposed RDP server without additional controls, nor does it take an attacker long to find the Active Directory server waiting for him on the other side.”
“Managing risk is an active process,” continues the expert. “Companies that do it well experience better security scenarios than those that don’t when it comes to dealing with ongoing threats from determined attackers.
“An important aspect of managing security risks, beyond identifying and prioritising them, is to act on information,” he says. “Despite this, and for far too long, certain risks such as open RDP continue to flood companies with attacks to the delight of cybercriminals, who can enter through the front door.”
“Securing the network by reducing exposed and vulnerable services and strengthening authentication will enable enterprises to improve their security levels and be better prepared to deal with cyber-attacks,” concludes John Shier.
