Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to connect to a Windows-based computer from a different location, a feature highly valued by remote workers. However, due to the widespread nature of RDP, it is commonly abused by ransomware groups. Despite some enhancements, open RDP access remains one of the most widely abused methods for breaking into networks or to carry out attacks.
Sophos noted this concerning trend in its latest report, “It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024.” Based on data gathered from over 150 cases in 2023, the Sophos Incident Response (IR) team observed that 20 percent of attacks leveraged RDP for external remote access and 90 percent for internal lateral movement—a record high since Sophos began tracking this IR data in 2020.
“External remote services are a necessary, but risky, requirement for many businesses,” said John Shier, field CTO, Sophos. “Attackers understand the opportunities these services can provide when they are not managed properly and actively seek them out to gain a foothold into an organization’s network.”
Easy Access, Easy Attack
“It doesn't take long for attackers to find and breach an exposed RDP server,” mentioned Shier. Once inside the network, they can access the Active Directory server, the most powerful asset on the network responsible for managing identities and system-wide policies. Attackers can also move laterally, survey what’s available to steal, deploy ransomware, and much more.
One of the worst cases highlighted by Sophos X-Ops involved attackers infiltrating an organization’s system on four occasions in just six months. In all instances, the adversaries exploited the target’s RDP ports for initial access. After that, they easily navigated through the network, deploying malicious code, disabling endpoint protection measures, and establishing their own remote entry points to exploit the IT infrastructure further.
The Sophos report makes basic security solutions very clear:
- Close exposed RDP ports
- Use multi-factor authentication
- Patch vulnerable servers
Sophos emphasizes these practices repeatedly because many organizations lack the skills or resources to handle these three fundamental security principles, leading to recurring defense lapses each year.
How Partners and MSPs can Help
“Given that RDP abuse is a recurring issue, it’s clear that organizations need help,” said Shier. “This is where channel partners and MSPs come in. By leveraging the threat intelligence in the Active Adversary report, partners can advise customers and prospects on three basic security steps we’ve outlined, or they can implement them themselves as part of their routine services. Why make it easy for attackers to ‘walk in the front door’ of an organization and, most likely, execute potentially devastating ransomware.”
For more information, download the Sophos Active Adversary report today.