Legacy vulnerabilities and Remote Desktop Protocol (RDP) endpoints are being singled out by attackers, according to new data based on billions of recorded cyber-attacks in 2023.
Honeypot sensors set up in the UK by insurer Coalition have recorded 5.8 billion attacks so far in 2023, which works out roughly to 17 million each day.
Three-quarters (76%) targeted RDP, which enables home workers to connect to their Microsoft Windows desktops in the office.
This is a particularly popular method for ransomware actors, as RDP is often exposed through misconfigured access controls. According to the latest figures from Coveware, RDP compromise accounted for initial access in around 25% of ransomware attacks in Q3 2023.
“Nearly three-quarters of recorded attacks in 2023 resulted from RDP, which is a scary thought for businesses since remote working is here to stay,” said Coalition’s UK security researcher, Simon Bell.
“These attacks are extremely preventable and could potentially lead to disastrous interruption or financial losses. To reduce these risks, we recommend immediately disabling the service if it is not in use or limiting access to only the employees who need it.”
Read more on RDP threats: VPN and RDP Exploitation the Most Common Attack Technique
Unpatched legacy vulnerabilities on Coalition’s honeypots were also frequently targeted by threat actors. The most common were two pre-2023 CVEs impacting F5 BIG-IP.
“Attackers will often target old vulnerabilities to exploit. This is partly due to the availability of public exploits for these vulnerabilities, giving hackers an available playbook for successfully executing an attack,” argued Bell.
“This is also because attackers know organizations can be slow to patch their software, exposing their systems to these known vulnerabilities. Attackers can then take advantage of outdated software and easily accessible public exploits to attack such systems.”
Bell warned that Coalition policyholders with just one unpatched critical vulnerability were 33% more likely to issue a claim. Those who continue to use end-of-life software no longer supported by the manufacturer were three times more likely to suffer a security incident.