Getty Images/iStockphoto

Sophos: RDP played a part in 95% of attacks in H1 2023

While Sophos observed increasing activity around Active Directory and Remote Desktop Protocol abuse, it recommended simple mitigation steps can limit the attack surface.


Listen to this article. This audio was generated by AI.

Attackers are increasingly targeting Active Directory and Remote Desktop Protocol, making security around those tools essential, according to a new report by Sophos.

In a blog post Wednesday, Sophos Field CTO John Shier shared data taken from incident response (IR) cases from the first half of 2023 in the cybersecurity vendor's midyear Active Adversary Report. While the report found ransomware remained the number one attack type, it also highlighted alarming trends around Active Directory (AD) and Remote Desktop Protocol (RDP) abuse.

During the first half of 2023, adversaries leveraged RDP in 95% of attacks, an increase from 88% in 2022. Sophos urged enterprises to secure RDPs, which Shier said "will likely have a noticeable impact."

He recognized there have been some improvements over the years by defenders, but aspects of RDP continue to make it an attractive target. For one, Shier said it comes pre-installed on most Windows operating systems. However, Tiago Henriques, vice president of research at cyber insurance provider Coalition, told TechTarget Editorial that Microsoft doesn't configure RDP with brute force protection by default.

An increase in successfully compromised credentials played a role in RDPs popularity. Sophos found that for the first time, compromised credentials surpassed exploiting a vulnerability to take the top spot in root causes. In the first half of 2023, compromised credentials accounted for 50% versus exploiting a vulnerability, which came in at 23%.

Another contributing factor was a lack of multifactor authentication (MFA) implementation despite the cybersecurity industry's ongoing push and it being mandated to obtain a cyber insurance policy. Sophos found MFA was not configured in 39% of IR cases from the first half of 2023.

"Combined with the fact that the use of compromised credentials is rampant and that single-factor authentication is the norm, it's no mystery why attackers love it [RDP]," Shier wrote in the report.

The way in which attackers used RDP was noteworthy as well. In 77% of IR incidents involving RDP, the tool was used only for internal access and lateral movement -- a significant increase from 65% in 2022, according to the report.

Active Directory concerns

Sophos' midyear "Active Adversary Report" also contained sobering data for AD users. In an interview with TechTarget Editorial at Black Hat USA 2023, Shier said that while reviewing from incidents in 2023, he kept seeing AD in the IOC lists. This year, he decided to analyze dwell times that involved AD compromises and found that such incidents had far shorter dwell times than the average and median times.

The report revealed median "time-to-AD" for all attacks in the first half of 2023 was 0.68 days, which equals around 16 hours. The media dwell time for overall attacks was eight days, down from 10 days in 2022.

"Think of the implications. Once you're on the Active Directory server, you can do everything because you're on the most privileged and powerful asset within the company," he said.

That could include siphoning off highly privileged accounts, creating new ones or disabling legitimate accounts. Shier also detailed how the AD server acts as a trusted source for malware deployment or a place to hide, while adversaries carry out the rest of their attack.

Shier also warned that many AD servers are under-protected. In one case, Sophos discovered an organization had exposed its AD server on the public internet by mistake.

"Throughout the course of our investigations we find that most AD servers are only protected with Microsoft defender, or sometimes not at all," the report read.

To make matters worse, Sophos found adversaries have become "very adept" in disabling Defender -- a trend the vendor's observed since 2021. This is accomplished through a technique MITRE refers to as Impair Defenses where attackers not only bypass firewalls and antivirus protections but also threat detection capabilities as well.

"In 2021, this technique was observed in 24% of cases, rising to 36% in 2022 and continuing to rise to 43% in the first half of 2023," the report said.

One recent, significant attack that involved AD compromise occurred against email accounts using Microsoft Outlook Web Access in Exchange Online and Outlook Web Access. A China-based threat actor Microsoft tracks as Storm-0558 obtained a Microsoft Account (MSA) consumer signing key and used it to forge tokens for Azure AD enterprise and MSA users to access the accounts. As a result, U.S. government agencies were compromised and Microsoft expanded its free cloud logging capabilities which previously hindered the IR process.

Shier emphasized that having complete telemetry is crucial for both defense and during IR investigations. While he acknowledged that insufficient budgets could contribute to a lack of proper tooling, there are certain mitigations to prioritize. For example, enterprises should mandate that RDP use is "necessary, limited and audited" and implement MFA across the organization.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Network security