This is according to the Sophos Active Adversary Report for 1H 2024, obtained on Friday.
This method, commonly used for remote access on Windows systems, was found to be abused in 90 per cent of attacks.
RDP is a protocol developed by Microsoft that allows users to remotely connect to and control another computer over a network connection. Users can interact with a remote computer as if they were physically present on that machine.
Out of the 150 incident response cases handled by the Sophos X-Ops IR team in 2023, external remote services served as the primary vector for initial network breaches in 65 per cent of the analyzed cases.
According to the report, external remote services have consistently been the most frequent source of initial access for cybercriminals since the Active Adversary reports were launched in 2020.
It suggested that defenders should consider this a sign to prioritise the management of these services when assessing the risk to the enterprise.
The field Chief Technology Officer at Sophos, John Shier, said, “External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond them.
“Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”
The report showed that in one Sophos X-Ops customer case, attackers successfully compromised the victim four times within six months, each time gaining initial access through the customer’s exposed RDP ports.
Once inside, the attackers continued to move laterally throughout the customer’s networks, downloading malicious binaries, disabling endpoint protection, and establishing remote access.
Compromised credentials and exploiting vulnerabilities are still the two most common root causes of attacks, the report revealed.
“Managing risk is an active process. Organizations that do this well experience better security situations than those that don’t in the face of continuous threats from determined attackers.
“An important aspect of managing security risks, beyond identifying and prioritizing them, is acting on the information. Yet, for far too long, certain risks, such as open RDP, continue to plague organizations, to the delight of attackers who can walk right through the front door of an organization.
“Securing the network by reducing exposed and vulnerable services and hardening authentication will make organizations more secure overall and better able to defeat cyberattacks,” Shier explained.