A new report by cybersecurity vendor Sophos has highlighted the increasing threats to Active Directory (AD) and Remote Desktop Protocol (RDP). The report, based on incident response (IR) cases from the first half of 2023, revealed concerning trends regarding the abuse of these tools.
While ransomware remains the most prevalent attack type, the report emphasized the urgent need for security around AD and RDP. According to Sophos, adversaries used RDP in 95% of attacks during the first half of 2023, an increase from 88% in 2022. As a result, the cybersecurity vendor urged enterprises to secure their RDPs, as this would likely have a significant impact.
Despite some improvements made by defenders, certain aspects of RDP make it an attractive target for attackers. One significant factor is that RDP comes pre-installed on most Windows operating systems, making it easily accessible. However, Tiago Henriques, the vice president of research at cyber insurance provider Coalition, warned that Microsoft doesn’t configure RDP with brute force protection by default.
The report also highlighted the increasing prevalence of successfully compromised credentials as a contributing factor to the popularity of RDP attacks. For the first time, compromised credentials surpassed exploiting vulnerabilities as the top root cause of attacks. In the first half of 2023, compromised credentials accounted for 50% of attacks, compared to 23% for exploiting vulnerabilities.
Another concerning finding was the lack of implementation of multifactor authentication (MFA) in many organizations. Despite the ongoing push from the cybersecurity industry and the requirement for MFA to obtain cyber insurance policies, Sophos found that MFA was not configured in 39% of IR cases during the first half of 2023.
With the combination of widespread use of compromised credentials and the norm of single-factor authentication, RDP becomes an attractive target for attackers. As Sophos Field CTO John Shier wrote in the report, “it’s no mystery why attackers love it [RDP].”
The report also shed light on how attackers use RDP. In 77% of incident response incidents involving RDP, the tool was used solely for internal access and lateral movement. This represents a significant increase compared to 65% in 2022.
In addition to RDP concerns, the report also revealed worrying data for AD users. Sophos reviewed incidents from 2023 and found that AD compromises led to shorter dwell times than the average and median times. The “time-to-AD” for all attacks in the first half of 2023 was 0.68 days, equivalent to around 16 hours. This highlights the severity of AD compromises, as attackers gain access to the most privileged and powerful asset within a company.
AD compromises can enable attackers to perform various malicious actions, such as siphoning off highly privileged accounts, creating new accounts, and disabling legitimate ones. The AD server also serves as a trusted source for malware deployment and a hiding place for attackers while they carry out the rest of their attack.
Furthermore, the report exposed the under-protection of many AD servers. In one instance, Sophos discovered an organization that had mistakenly exposed its AD server on the public internet. The report also noted that adversaries have become adept at disabling Microsoft Defender, a trend observed since 2021. attackers bypass not only firewalls and antivirus protections but also threat detection capabilities. In the first half of 2023, this technique was observed in 43% of cases, marking a significant increase from previous years.
The report highlighted a recent significant attack involving AD compromise targeting email accounts using Microsoft Outlook Web Access. A China-based threat actor referred to as Storm-0558 obtained a Microsoft Account (MSA) consumer signing key, allowing them to forge tokens for Azure AD enterprise and MSA users. This resulted in the compromise of U.S. government agencies and prompted Microsoft to expand its free cloud logging capabilities to enhance the incident response process.
To combat these threats, Sophos emphasized the importance of complete telemetry for defense and IR investigations. While budget constraints may limit proper tooling, there are essential mitigations that organizations should prioritize. One such mitigation is mandating “necessary, limited, and audited” use of RDP and implementing MFA across the organization.
The report serves as a reminder for enterprises to bolster the security around Active Directory and Remote Desktop Protocol, given the increasing prevalence of attacks targeting these tools. With attackers on the lookout for vulnerabilities, organizations must remain vigilant and implement necessary measures to protect their systems and networks.