Cybercriminals Abuse Remote Desktop Protocol In 90% of Attacks

The latest report by cybersecurity firm Sophos has revealed that cybercriminals abused Remote Desktop Protocol (RDP), a common method for establishing remote access on Windows systems, in 90 per cent of attacks.

This became the highest incidence of RDP abuse since Sophos began releasing its Active Adversary reports in 2021.

The report, which covered organisations located in 23 different countries, including the United States, Canada, Mexico, Colombia, the United Kingdom, Sweden, Switzerland, Spain, Germany, Poland, Italy, Austria, Belgium, the Philippines, Singapore, Malaysia, India, Australia, Kuwait, the United Arab Emirates, Saudi Arabia, South Africa, and Botswana, further revealed that external remote services, such as RDP, were the most often used vector by which attackers first gained access to networks.

This was the case in 65 per cent of incident response (IR) cases in 2023, the report averred, adding that, external remote services have consistently been the most frequent source of initial access for cybercriminals since the Active Adversary reports were launched in 2020, while urging defenders to consider this a clear sign to prioritise the management of these services when assessing risk to the enterprise.

Field CTO, Sophos, John Shier, added that, “External remote services are a necessary, but risky, requirement for many businesses.
Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond.

“Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”

On the causes of attacks, the report noted that the two most frequent root causes of attacks are still exploiting vulnerabilities and having compromised credentials. Nevertheless, compromised credentials overtook vulnerabilities as the most common root cause of attacks in the first half of 2023, according to the 2023 Active Adversary Report for Tech Leaders, which was published in August of last year.

“For the duration of 2023, over 50 per cent of IR cases were attributed to compromised credentials. This pattern persisted. When looking at Active Adversary data cumulatively over the years from 2020 through 2023, compromised credentials were also the number one all-time root cause of attacks, involved in nearly a third of all IR cases.

“Yet, despite the historical prevalence of compromised credentials in cyberattacks, in 43 per cent of IR cases in 2023, organisations did not have multi-factor-authentication configured,” Sophos said