New Tactic for Lateral Movement
Security researchers have identified a new technique used by the Qilin ransomware group. The attackers are now targeting the Remote Desktop Protocol (RDP) authentication history stored on compromised Windows servers. By extracting this data, they can quickly identify which other systems a victim has connected to, allowing them to map out the internal network and identify high value targets for encryption.
This method reduces the time attackers spend on manual reconnaissance. Instead of scanning the network broadly, they can focus on the specific servers and workstations that administrators or users have already authenticated to via RDP. This makes their lateral movement faster and harder to detect.
Impact and Defense Recommendations
The primary risk of this technique is the rapid spread of ransomware across an entire organization. If a single server is compromised, the attacker can use its stored RDP logs to jump to every other machine the compromised server has accessed. This can lead to a full network encryption within a very short window, limiting the time a response team has to contain the breach.
Organizations should enforce strong RDP security policies to mitigate this threat. Key measures include implementing Network Level Authentication (NLA), restricting RDP access to only necessary users, and using multi factor authentication. Additionally, regular review of RDP logs can help detect unusual authentication patterns early.
Source: Qilin Ransomware Uses RDP History to Accelerate Lateral Movement
