Sophos report exposes critical vulnerabilities
A new report from cybersecurity expert Sophos has exposed an alarming increase in cyberattacks exploiting weaknesses in Remote Desktop Protocol (RDP) and highlighting a critical shift in attacker methodologies.
Titled “It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024”, the report reveals how threat actors relentlessly target RDP, a common tool for remote access to Windows systems. The analysis, based on over 150 incident response investigations, shows that RDP exploitation reached an all-time high in 2023, facilitating a staggering 90 percent of attacks.
The report underscores that this isn’t a new phenomenon. External remote services, including RDP, have consistently led the charts as the primary initial access point for cybercriminals since Sophos began publishing its Active Adversary reports in 2020. This emphasizes the urgent need for businesses to prioritize the protection of these vulnerable services.
“These external remote services are the digital equivalent of leaving the front door wide open,” explains John Shier, field CTO at Sophos. “Attackers fully grasp the ease with which they can exploit exposed services. Once an RDP server is breached, it’s frighteningly simple for the attacker to gain a deeper foothold within the network. Effective security measures around these services are no longer optional for businesses.”
The report offers a particularly concerning case study in which a victim organization experienced four separate compromises within a six-month period. Each of these successful breaches originated from the organization’s exposed RDP ports. The persistent attacker, once inside the network, systematically compromised systems, deployed malicious tools, disabled security software, and established persistent backdoors for future access.
Perhaps even more concerning than increased RDP abuse is the report’s findings regarding compromised credentials. After years of vulnerabilities topping the list, compromised credentials have emerged as the most common root cause of attacks in recent periods. For the first time in the first half of 2023, compromised credentials surpassed vulnerabilities as the leading threat vector. This pattern continued throughout the year, with compromised credentials accounting for over 50 percent of cases handled by Sophos.
Compounding the problem is the shocking statistic that, in 43 percent of incidents in 2023, organizations lacked multi-factor authentication (MFA), a fundamental defense against credential abuse. “MFA is one of those deceptively simple but immensely effective security controls, ” stresses Shier. “Its continued underutilization is baffling given how commonly attackers target weak or stolen login information.”
While compromised credentials now rank as the top attacker strategy, the exploitation of software vulnerabilities remains a significant threat. From 2020 through 2023, vulnerabilities accounted for a substantial 30 percent of incident response cases — and in 2023 specifically, they were the root cause in 16 percent of attacks. This underscores the importance of vigilant patch management and vulnerability scanning as important components of a robust cybersecurity strategy.
“Cyber defense is not a set-and-forget task,” emphasizes Shier. “Security risks are fluid, and organizations must proactively identify and mitigate areas like open RDP ports and inadequate authentication. Attackers won’t hesitate to exploit these weaknesses, and organizations that fail to act will find themselves increasingly vulnerable.”
The new Sophos Active Adversary Report paints a stark picture of the cyber threat landscape in 2023 and early 2024. With its in-depth analysis and real-world examples, the report provides crucial insights for businesses aiming to strengthen their cyber resilience.
