Remote desktop protocol (RDP) compromise has reached record levels in ransomware attacks, according to new data from Sophos.
The UK-based security vendor analyzed 150 of its incident response cases from 2023 and found RDP abuse featured in 90% of them to give threat actors remote access to Windows environments.
Sophos described the rate of RDP abuse as “unprecedented” and said it partially explained why “external remote services” were the most popular way for threat actors to gain initial access in ransomware attacks – accounting for 65% of cases last year.
In one case, attackers successfully compromised the same victim four times within six months via exposed RDP ports. Once inside, they were able to move laterally through its networks, downloading malicious binaries, disabling endpoint protection and establishing remote access, Sophos said.
RDP offers several advantages for ransomware actors:
- It is extremely popular among network administrators
- Attackers can abuse it for remote access without setting off any AV or EDR alarms
- It offers an easy-to-use GUI
- The service is often misconfigured, meaning it is publicly exposed and protected only with easy-to-crack credentials
- Highly privileged accounts are sometimes used for RDP, amplifying the damage that can be done
- Administrators often disable security features such as Network Level Authentication
- Many organizations forget to segment their networks, which helps RDP attackers
Read more on RDP threats: VPN and RDP Exploitation the Most Common Attack Technique
“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond,” argued John Shier, Sophos field CTO.
“Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”