A recent report by global cybersecurity firm Sophos has highlighted the widespread exploitation of Remote Desktop Protocol (RDP) by cybercriminals, accounting for 90% of cyber attacks. The findings are based on Sophos' Active Adversary Report for the second half of 2023, released on Friday.
RDP, a protocol developed by Microsoft for remote access to Windows systems, has become a favoured tool for attackers due to its functionality in allowing remote control of computers over network connections.
Sophos' X-Ops Incident Response (IR) team handled 150 cases in 2023, with external remote services identified as the primary vector for initial network breaches in 65% of these cases. The report indicates that external remote services have consistently been a top entry point for cybercriminals since the launch of the Active Adversary reports in 2020.
John Shier, Chief Technology Officer at Sophos, emphasized the inherent risks associated with external remote services, which are essential but vulnerable for many businesses. Attackers actively exploit exposed RDP servers, recognizing the potential rewards beyond them, including gaining access to Active Directory servers.
The report underscores a specific case where attackers compromised a Sophos X-Ops customer four times within six months, leveraging exposed RDP ports for initial access. Once inside the network, attackers moved laterally, deploying malicious software, disabling endpoint protection, and establishing persistent remote access.
According to the report, compromised credentials and vulnerability exploitation remain the leading causes of cyber attacks.
Shier stressed the importance of proactive risk management, urging organizations to take steps to reduce exposure to vulnerable services like open RDP ports. Securing networks involves minimizing exposed and vulnerable services, implementing robust authentication measures, and continuously monitoring for threats to enhance the overall security posture and mitigate cyber-attacks.