Level of RDP abuse unprecedented

April 2024 News & Events

Sophos released the Active Adversary analysis, It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024. The report, which analyses more than 150 incident response (IR) cases handled by the Sophos X-Ops IR team in 2023, found that cybercriminals abused remote desktop protocol (RDP) — a common method for establishing remote access on Windows systems—in 90% of attacks. This was the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021, covering data from 2020.

In addition, external remote services such as RDP were the most common vector by which attackers initially breached networks; they were the method of initial access in 65% of IR cases in 2023. External remote services have consistently been the most frequent source of initial access for cybercriminals since the Active Adversary reports were launched in 2020, and defenders should consider this a clear sign to prioritise the management of these services when assessing risk to the enterprise.

John Shier, field CTO at Sophos, warns, “External remote services are a necessary, but risky, requirement for many businesses. Attackers are well aware of the risks these services pose and actively exploit them due to the potential rewards. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It does not take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”

In one Sophos X-Ops customer case, attackers successfully compromised the victim four times within six months, each time gaining initial access through the customer’s exposed RDP ports. Once inside, the attackers continued to move laterally throughout the customer’s networks, downloading malicious binaries, disabling endpoint protection, and establishing remote access.

Compromised credentials and exploiting vulnerabilities are still the two most common root causes of attacks. However, the 2023 Active Adversary Report for Tech Leaders, released last August, found that for the first time in the first half of that year, compromised credentials surpassed vulnerabilities as the most frequent root cause of attacks. This trend continued throughout 2023, with compromised credentials representing the root cause of over 50% of IR cases for the entire year.

When looking at Active Adversary data cumulatively from 2020 through 2023, compromised credentials were also the number one ‘all-time’ root cause of attacks, involved in nearly a third of all IR cases. Yet despite the historical prevalence of compromised credentials in cyberattacks, organisations did not have multi-factor authentication configured in 43% of IR cases in 2023.

Exploiting vulnerabilities was the second most common root cause of attacks, both in 2023 and when analysing data cumulatively from 2020 through 2023, accounting for the root cause in 16% and 30% of IR cases, respectively.

“Managing risk is an active process. Organisations that do this well experience better security situations than those that do not, in the face of continuous threats from determined attackers. Acting on the information is an important aspect of managing security risks, beyond identifying and prioritising them. Yet, for far too long, certain risks, such as open RDP, continue to plague organisations, to the delight of attackers who can walk right through the front door of an organisation. Securing the network by reducing exposed and vulnerable services and hardening authentication will make organisations more secure overall and better able to defeat cyberattacks,” said Shier.

The Sophos Active Adversary Report for 1H 2024 is based on more than 150 incident response (IR) investigations spanning the globe across 26 sectors. Targeted organisations are located in 23 different countries, including the United States, Canada, Mexico, Colombia, the United Kingdom, Sweden, Switzerland, Spain, Germany, Poland, Italy, Austria, Belgium, the Philippines, Singapore, Malaysia, India, Australia, Kuwait, the United Arab Emirates, Saudi Arabia, South Africa and Botswana.

To learn more about the current adversary landscape, read It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024 on https://news.sophos.com/en-us/2024/04/03/active-adversary-report-1h-2024/.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Pentagon appointed as Milestone distributor
Elvey Security Technologies News & Events Surveillance
Milestone Systems appointed Pentagon Distribution (an Elvey Group company within the Hudaco Group of Companies) as a distributor. XProtect’s open architecture means no lock-in and the ability to customise the connected video solution that will accomplish the job.

From the editor's desk: AI and events
Technews Publishing News & Events
      Welcome to the 2024 edition of the SMART Surveillance Handbook. Reading through this issue will demonstrate that AI has undoubtedly made its mark on the surveillance industry. Like ‘traditional’ video ...

Forbatt SA to distribute and support Tiandy in South Africa
Forbatt SA News & Events
The big news in this year’s SMART Surveillance Handbook is that Forbatt SA has signed a new distribution agreement with Tiandy Technologies. This brand has had limited exposure and support in South Africa in the past, but has posted significant growth internationally.

Introducing the SecuShot Bullseye Robotic Guard MK2
Secutel Technologies News & Events Surveillance
The SecuShot Bullseye Robotic Guard MK2 is a marvel of modern engineering. It integrates CCTV monitoring, remote-controlled PTZ capabilities, and a gas-powered marker into a single, compact unit.

Gallagher Security’s Integrate Roadshow
Gallagher News & Events
Gallagher Security recently teamed up with nine technology partners to showcase the latest integrated security capabilities at the Integrate Roadshow in Durban, bringing together about 60 attendees, including end users, channel partners, consultants, and other industry professionals.

Ransomware impersonates employees and self-spreads
News & Events
Following a recent incident, the Kaspersky Global Emergency Response team is shedding light on an attack where adversaries crafted their own variant of encryption malware equipped with self-propagation capabilities.

Hexagon rebrands Qognify
News & Events
Hexagon’s Safety, Infrastructure & Geospatial division announced that Qognify has officially adopted the Hexagon corporate identity and fully integrated into the division as the physical security business unit.

Five efficiency strategies for your security installation business
Securex South Africa News & Events
A recent conversation with one Securex South Africa 2024 exhibitor, led to the event organisers being able to share some advice on helping security installers make their businesses more efficient.

Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Sales basics for security installers
News & Events
Being the best security business in South Africa means little if no one uses your services. Your business success is only partly linked to how good you are at security installations.