RDP Hijacked for Lateral Movement in 69% of Attacks

Some 90% of cyber-attacks investigated by a leading security vendor last year involved abuse of the Remote Desktop Protocol (RDP), and ransomware featured in 81%.

The figures come from a new Active Adversary Playbook 2021 compiled by Sophos from the experiences of its frontline threat hunters and incident responders.

It revealed that, while RDP is often used to gain initial access into victim organizations, especially during ransomware attacks, it was also hijacked by attackers in 69% of incidents for lateral movement.

Techniques such as using VPNs and multi-factor authentication (MFA), which focus on preventing unauthorized external access to RDP, won’t work if the attacker is already in the network, Sophos warned.

In fact, it seems as if attackers are increasingly capable of slipping past perimeter defenses to infiltrate networks. The average dwell time for cases investigated by Sophos was 11 days. Considering many of these were ransomware attacks which typically require less time, 264 hours is more than enough for threat actors to do their worst.

“With adversaries spending a median of 11 days in the network, implementing their attack while blending in with routine IT activity, it is critical that defenders understand the warning signs to look out for and investigate,” argued Sophos senior security advisor, John Shier.

“One of the biggest red flags, for instance, is when a legitimate tool or activity is detected in a unexpected place. Most of all, defenders should remember that technology can do a great deal but, in today’s threat landscape, may not be enough by itself. Human experience and the ability to respond ar ..

Support the originator by clicking the read the rest link below.