Cybercriminals abused remote desktop protocol (RDP) in 90% of attacks, the highest incidence of RDP abuse since 2020, according to the latest active adversary report by Sophos.
The report, based on analysis from more than 150 incident response (IR) cases handled by the Sophos X-Ops IR team in 2023, found that the most common root cause of attacks was external remote services such as RDP (65%).
“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond them. Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It does not take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side,” said John Shier, field CTO at Sophos.
Managing risk
Shier posits that organisations must be proactive in managing risks to strengthen security amidst threats.
"An important aspect of managing security risks, beyond identifying and prioritising them, is acting on the information. Yet, for far too long, certain risks, such as open RDP continue to plague organisations, to the delight of attackers who can walk right through the front door of an organisation. Securing the network by reducing exposed and vulnerable services and hardening authentication will make organisations more secure overall and better able to defeat cyberattacks,” said Shier.
