Remote Desktop Protocol (RDP), a system that allows users to control a computer remotely, was used in nine out of every ten cyberattacks that happened in 2023, new research has claimed.
A paper from Sophos based on analysis of more than 150 incident response (IR) cases from 2023 concludes the percentage of attacks abusing RDP has never been higher since it started tracking this metric back in 2020. In the majority of cases (65%), RDP is used to establish initial access to the target endpoint.
Furthermore, external remote services have consistently been the most frequent source of initial access, since Sophos started tracking the metric, it said.
Ransomware groups' best friend
In one case, Sophos said, an attacker successfully compromised the victim four times within six months, each time accessing the network through the victim’s exposed RDP ports. After gaining access, the attackers would move laterally throughout the network, installing malware, disabling endpoint protection tools, and establishing remote access.
“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond,” commented John Shier, field CTO, Sophos.
“Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn't take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”
Remote Desktop Protocol has been the go-to tool for cybercriminals for years now. In 2023,, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) urged businesses to "strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services" to minimize the threat coming from the BianLian ransomware group.
In a joint security advisory published at the time, the law enforcement agencies said BianLian usually targets Windows systems through RDP credentials, before deploying additional software to steal more credentials, or exfiltrate sensitive data and other important files.
More from TechRadar Pro
- The FBI is telling businesses to stop using remote desktop software - here's why
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now