RDP Hijacked for Lateral Movement in 69% of Attacks

Some 90% of cyber-attacks investigated by a leading security vendor last year involved abuse of the Remote Desktop Protocol (RDP), and ransomware featured in 81%.

The figures come from a new Active Adversary Playbook 2021 compiled by Sophos from the experiences of its frontline threat hunters and incident responders.

It revealed that, while RDP is often used to gain initial access into victim organizations, especially during ransomware attacks, it was also hijacked by attackers in 69% of incidents for lateral movement.

Techniques such as using VPNs and multi-factor authentication (MFA), which focus on preventing unauthorized external access to RDP, won’t work if the attacker is already in the network, Sophos warned.

In fact, it seems as if attackers are increasingly capable of slipping past perimeter defenses to infiltrate networks. The average dwell time for cases investigated by Sophos was 11 days. Considering many of these were ransomware attacks which typically require less time, 264 hours is more than enough for threat actors to do their worst.

“With adversaries spending a median of 11 days in the network, implementing their attack while blending in with routine IT activity, it is critical that defenders understand the warning signs to look out for and investigate,” argued Sophos senior security advisor, John Shier.

“One of the biggest red flags, for instance, is when a legitimate tool or activity is detected in a unexpected place. Most of all, defenders should remember that technology can do a great deal but, in today’s threat landscape, may not be enough by itself. Human experience and the ability to respond are a vital part of any security solution.”

According to ESET, RDP attacks increased by a staggering 768% between Q1 and Q4 2020 as cyber-criminals focused on exploiting a tool used increasingly by remote workers to access their corporate desktops.