Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Level of RDP abuse unprecedented

April 2024 News & Events

Sophos released the Active Adversary analysis, It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024. The report, which analyses more than 150 incident response (IR) cases handled by the Sophos X-Ops IR team in 2023, found that cybercriminals abused remote desktop protocol (RDP) — a common method for establishing remote access on Windows systems—in 90% of attacks. This was the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021, covering data from 2020.

In addition, external remote services such as RDP were the most common vector by which attackers initially breached networks; they were the method of initial access in 65% of IR cases in 2023. External remote services have consistently been the most frequent source of initial access for cybercriminals since the Active Adversary reports were launched in 2020, and defenders should consider this a clear sign to prioritise the management of these services when assessing risk to the enterprise.

John Shier, field CTO at Sophos, warns, “External remote services are a necessary, but risky, requirement for many businesses. Attackers are well aware of the risks these services pose and actively exploit them due to the potential rewards. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It does not take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”

In one Sophos X-Ops customer case, attackers successfully compromised the victim four times within six months, each time gaining initial access through the customer’s exposed RDP ports. Once inside, the attackers continued to move laterally throughout the customer’s networks, downloading malicious binaries, disabling endpoint protection, and establishing remote access.

Compromised credentials and exploiting vulnerabilities are still the two most common root causes of attacks. However, the 2023 Active Adversary Report for Tech Leaders, released last August, found that for the first time in the first half of that year, compromised credentials surpassed vulnerabilities as the most frequent root cause of attacks. This trend continued throughout 2023, with compromised credentials representing the root cause of over 50% of IR cases for the entire year.

When looking at Active Adversary data cumulatively from 2020 through 2023, compromised credentials were also the number one ‘all-time’ root cause of attacks, involved in nearly a third of all IR cases. Yet despite the historical prevalence of compromised credentials in cyberattacks, organisations did not have multi-factor authentication configured in 43% of IR cases in 2023.

Exploiting vulnerabilities was the second most common root cause of attacks, both in 2023 and when analysing data cumulatively from 2020 through 2023, accounting for the root cause in 16% and 30% of IR cases, respectively.

“Managing risk is an active process. Organisations that do this well experience better security situations than those that do not, in the face of continuous threats from determined attackers. Acting on the information is an important aspect of managing security risks, beyond identifying and prioritising them. Yet, for far too long, certain risks, such as open RDP, continue to plague organisations, to the delight of attackers who can walk right through the front door of an organisation. Securing the network by reducing exposed and vulnerable services and hardening authentication will make organisations more secure overall and better able to defeat cyberattacks,” said Shier.

The Sophos Active Adversary Report for 1H 2024 is based on more than 150 incident response (IR) investigations spanning the globe across 26 sectors. Targeted organisations are located in 23 different countries, including the United States, Canada, Mexico, Colombia, the United Kingdom, Sweden, Switzerland, Spain, Germany, Poland, Italy, Austria, Belgium, the Philippines, Singapore, Malaysia, India, Australia, Kuwait, the United Arab Emirates, Saudi Arabia, South Africa and Botswana.

To learn more about the current adversary landscape, read It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024 on https://news.sophos.com/en-us/2024/04/03/active-adversary-report-1h-2024/.


Credit(s)

Email: [email protected]
www:
Articles: More information and articles about Sophos



Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

From prevention to protection
Securex South Africa News & Events Fire & Safety
The Western Cape’s varied landscapes and rapid urban development present a range of fire safety challenges, from densely populated city centres to remote industrial sites, and from heritage buildings to new high-rise developments.

Read more...
Workflow and asset management solutions
Asset Management News & Events
Zamatrack’s innovative workflow and asset management solutions feature the Worxit platform. This all-in-one solution allows businesses to streamline operations with real-time tracking, GPS data, and custom reports.

Read more...
SAQCC Gas awareness
Associations News & Events
SAQCC Gas will raise awareness within the gas industry by emphasising the importance of using registered gas practitioners and getting a Certificate of Compliance (CoC) for all your gas systems.

Read more...
Why Securex matters more than ever
Securex South Africa News & Events Fire & Safety Facilities & Building Management
Visitors will observe the application of integrated security solutions, including AI-enhanced surveillance, cloud-based access control, cybersecurity tools, and perimeter protection within residential, commercial, logistics, and industrial environments

Read more...
Fire Ops SA Partners with Matrix
News & Events Fire & Safety Residential Estate (Industry)
Fire Ops SA, a South African private fire and rescue service, has announced its partnership with Matrix Vehicle Tracking to launch FireStop, providing Matrix and Beame clients with direct access to a dedicated professional private fire service.

Read more...
SABRIC Annual Crime Statistics 2024
News & Events Security Services & Risk Management Residential Estate (Industry)
SABRIC has released its Annual Crime Statistics for 2024, reflecting a significant decline in financial crime losses, but also warning of the growing threat posed by artificial intelligence (AI) in fraud schemes.

Read more...
Adding AI analytics to security monitoring
SEON South Africa News & Events Perimeter Security, Alarms & Intruder Detection Residential Estate (Industry) AI & Data Analytics
SEON has announced its latest integration with Refraime, an AI-powered video analytics platform designed to elevate CCTV surveillance through real-time object detection and intelligent alerting.

Read more...
Advances in electric fence management
Nemtek Electric Fencing Products News & Events Perimeter Security, Alarms & Intruder Detection
Nemtek will demonstrate its newly enhanced FG7C+ Fence Controller, now featuring an advanced software upgrade that connects all Nemtek devices, aggregating data to a single point for efficient electric fence alarm monitoring and control.

Read more...
Fire safety in focus
Securex South Africa Fire & Safety News & Events
Firexpo Cape Town visitors will not only compare technologies side-by-side, but also connect with suppliers and experts who understand both the region’s regulatory framework and its unique environmental risks.

Read more...
Blue Security ranked best reaction team in KZN
News & Events Commercial (Industry)
Blue Security has been ranked the Best Reaction Team in KwaZulu-Natal following its outstanding performance at the SAIDSA Reaction Man Competition 2025, which took place on 25 September at the Ballito Defensive Sport Shooting Club.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.