RDP Hijacked for Lateral Movement in 69% of Attacks
According to a new report called the Active Adversary Playbook 2021, 90% of cyberattacks investigated by Sophos last year involved abuse of the Remote Desktop Protocol (RDP). Sophos states that 81% of these attacks featured ransomware. The new report details the experiences of frontline threat hunters and incident responders to compile and assess information pertaining to cyberattacks over the past year. The report states that RDP is often used to gain initial access into victim organizations, however, in 69% of attacks, threat actors used RDP for lateral movement.
In the report, Sophos also warned that security techniques such as VPN usage and deploying multi-factor authentication to prevent unauthorized external access to RDP don’t work if the attacker is already in the network and able to move laterally through exploiting RDP. Attackers are increasingly capable of avoiding perimeter defenses to infiltrate networks, claims the report. According to Sophos, the active dwell time for cases reviewed by the company was roughly 11 days. Sophos states that RDP attacks dramatically increased by 768% between Q1 and A4 of 2020, likely influenced by the work-from-home shift as a result of the Covid-19 pandemic.