Cybercriminals abused remote desktop protocol (RDP) in 90% of attacks, the highest incidence of RDP abuse since 2020, according to the Active Adversary analysis, “It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024” by Sophos.
External remote services
The report, which analyses more than 150 incident response (IR) cases handled by the Sophos X-Ops IR team in 2023, found that external remote services such as RDP were the top attack vector to breach networks and the initial access method in 65% of IR cases in 2023.
“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond them. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side,” said John Shier, field CTO, Sophos.
Open RDP, risk to orgs
“Certain risks such as open RDP continue to plague organizations, to the delight of attackers who can walk right through the front door of an organization,” said Shier.
He highlighted the importance of securing networks by reducing exposed and vulnerable services and hardening authentication to heighten security against cyberattacks.
