In its latest Active Adversary analysis, Sophos, a cybersecurity solutions provider, found that cybercriminals have increasingly leveraged remote desktop protocol (RDP), a common method for establishing remote access on Windows systems, in their attacks.
According to Sophos, RDP abuse was detected in 90% of the cases it handled. This is, so far, the highest incidence of such abuse since the inception of Sophos’s Active Adversary reports in 2020.
The Active Adversary analysis titled “It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024,” analyzed over 150 incident response (IR) cases managed by the Sophos X-Ops IR team throughout 2023, highlighting a disturbing trend in cybercriminal behavior.
ALSO READ:
Boosting small and medium businesses’ incident-readiness: Advice for Managed Service Providers
Sophos partners with Tenable to offer Sophos Managed Risk Service
“Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond,” said John Shier, field CTO, Sophos. “Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”
Network breaches
The report underscores that external remote services like RDP emerged as the predominant avenue for initial network breaches, constituting the method of initial access in 65% of the IR cases documented in 2023. This perpetuates a concerning pattern observed since the inception of the Active Adversary reports.
While compromised credentials and vulnerabilities remain key factors in cyber intrusions, the report reveals a notable shift, with compromised credentials surpassing vulnerabilities as the primary root cause of attacks for the first time in 2023. Despite this, a concerning 43% of organizations lacked multi-factor authentication, leaving them vulnerable to credential-based breaches.
Shier emphasized the need for organizations to actively mitigate risks, advocating for measures such as reducing exposed services and implementing robust authentication protocols to bolster overall security against relentless cyber threats.