Threat actors continue to see great success using simple, tried and tested methods, and bluntly, many defenders are failing to do the basics.

By

Published: 03 Apr 2024 20:51

Threat actors are abusing the widely-used Windows remote desktop protocol (RDP) remote access feature in their attack chains at a rate unprecedented since the Covid-19 pandemic, according to new analysis released by Sophos in its latest Active Adversary Report, which explored over 150 incident response cases to which its X-Ops team responded during 2023.

It said that it saw RDP exploitation occur in 90% of cases last year, the highest rate seen since the 2021 report covering data from 2020, the pandemic’s height.

In one incident, attackers successfully compromised the victim no less than four times over a six month period, in each case gaining initial access through exposed RDP ports – which was also the most common vector via which attackers breached networks, found in 65% of the documented cases.

Once inside the victim’s network, the attackers continued to move laterally through their network, downloading malicious binaries, turning off cyber security tools that were protecting their endpoints, and establishing remote control.

“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond,” said Sophos field CTO John Shier.

“Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”

Shier said that an important aspect of risk management – beyond mere identification and prioritisation – was acting on available information, and yet risks such as exposed RDP ports continue to plague victims “to the delight of attackers”, suggesting too many organisations are simply not paying attention.

“Managing risk is an active process. Organisations that do this well experience better security situations than those that don’t in the face of continuous threats from determined attackers…. Securing the network by reducing exposed and vulnerable services and hardening authentication will make organisations more secure overall and better able to defeat cyber attacks,” said Shier.

The latest edition of the ongoing Active Adversary series also revealed while the exploitation of vulnerabilities and the use of compromised credentials are the most common root causes of cyber attacks, the use of stolen credentials has become more widespread, and is now seen in over 50% of incident response cases – exploitation of vulnerabilities accounted for another 30%.

Shier said this was a particular concern given that in 43% of cases, organisations did not have multifactor authentication (MFA) configured properly or at all.

Other less common root causes observed by Sophos included brute force attacks (3.9% of cases), phishing (3.3%), and supply chain compromise (2.6%). In 13.6% of cases it was not possible to identify the root cause.

Cyber pros must do more

Looking back on the 2023 data, Shier wrote that given the majority of compromises arise from just three key issues – exposed RDP ports, lack of MFA, and unpatched servers – and the relative ease of addressing all three of these problems, he was left with a feeling that not enough was being done to protect organisations from harm, and that while some had the necessary protections in place, few were really paying attention to security.

“Often, the sole differences between organisations that are breached and those that aren’t are, one, the preparation entailed by selecting and putting the proper tools in place and, two, the knowledge and readiness to act when required,” he wrote.

“Unfortunately we are also still seeing the same mistakes being made by defenders every year. It’s with this in mind that we think organisations need to urgently participate in their own rescue,” continued Shier.

“No industry, product or paradigm is perfect, but we’re still fighting yesterday’s battles with, too often, they day before yesterday’s weaponry. Most of the tools and techniques described in this report have solutions, or at the very least, mitigations to limit their harm, but defences are simply not keeping up.”

Wrapping up the report, Shier said it could be tempting for cyber pros to succumb to anger at all too frequent and avoidable failures. “We say, don’t look back in anger, look forward to how you can make positive change today for a better tomorrow.”

Read more on Hackers and cybercrime prevention

Read More