VPN and RDP Exploitation the Most Common Attack Technique

Written by

Exploitation of remote services like VPNs and RDP was the most commonly seen attack technique last year, according to a new report from ReliaQuest.

The threat intelligence firm’s ReliaQuest Annual Cyber-Threat Report 2023 is based on data from 35,000 incidents remediated for clients between February 2022 and February 2023.

The report recorded nearly 5000 instances of remote service exploitation, more than double the next most common technique: active scanning. The technique became particularly popular among threat actors during the pandemic with the advent of mass home working.

“This comes as no surprise; exposed remote services, including VPN, Citrix, TeamViewer or RDP, represent one of the most common methods of enabling initial access onto a targeted network, or establishing persistence,” the report explained.

“We have observed significant threat actor interest in identifying exposed RDP servers, which has resulted in a flourishing ecosystem of cyber-criminal activity in identifying, exploiting, then selling RDP accesses onto interested third parties.”

Read more on RDP threats: RDP Hijacked for Lateral Movement in 69% of Attacks

The most common access type advertised by these initial access brokers (IABs) was RDP, which accounted for 24% of intelligence updates published by ReliaQuest in the reporting period. RDP access was also the most expensive type on offer, with an average price of $1000.

The report also revealed:

  • Initial-access malware was delivered mainly by phishing emails
  • Defensive evasion techniques are widespread, notably indicator removal, data destruction and the sub-technique of clear command history
  • Risk from exposed credentials was most acute in financial services, while exploitation of open ports was particularly prevalent at utilities companies, and fraudulent impersonation of web domains was most common in the retail sector
  • CVE-2022-22965 (Spring4Shell) was cited as posing the greatest risk of all high-risk vulnerabilities, because of readily available exploits and its potential to cause significant technical and business impact
  • The construction sector (with an average of 226 incidents annually) was the most targeted by cyber-criminals, followed by transportation (167), wholesale trade (138), manufacturing (116) and retailers (105). All have a low tolerance for operational disruption

“Criminals are using any means at their disposal to infiltrate organizations, and the exploitation of remote services continues to be the easiest way in. It’s essential for organizations to adequately monitor and secure these,” argued ReliaQuest SVP of security operations, Mike McPherson.

“Ransomware remains the biggest risk facing business in 2023, and the last quarter saw more victims than ever before. Utilizing malware such as SocGholish has made their efforts more potent, which is why keeping abreast of the latest developments in tactics, techniques and procedures (TTPs) of ransomware activity, in addition to tracking groups known to be targeting your sector, is the best way to stay ahead of the curve from this pernicious activity.”

What’s hot on Infosecurity Magazine?