RDP credential theft and standing access: what teams need to fix

TL;DR: Cephalus is exploiting stolen RDP credentials to enter environments, move laterally, disable backups, and encrypt systems, according to Apono’s analysis of AhnLab reporting. The lesson is that always-on access and weak MFA collapse recovery time and turn credential reuse into a fast ransomware path.

NHIMG editorial — based on content published by Apono: Cephalus Weaponizes Stolen RDP Credentials to Deploy Ransomware

By the numbers:

• 17 minutes and as quickly as 9 minutes, cly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.

Questions worth separating out

Q: What breaks when RDP access is protected only by passwords?

A: Password-only RDP turns stolen or reused credentials into immediate remote access, which is exactly what ransomware crews exploit.

Q: Why do standing privileges make ransomware incidents worse?

A: Standing privileges let an attacker use a compromised identity to do real administrative work without escalation barriers.

Q: How do security teams know whether remote admin access is too broad?

A: Look for accounts that can reach servers, stop services, or manage recovery tooling without task-specific approval or expiry.

Practitioner guidance

• Remove direct RDP exposure Put administrative access behind VPN, a zero-trust access broker, or a managed gateway so internet-facing logins are not the default path into servers.
• Enforce MFA on all remote administration Require second-factor verification for RDP and any privileged remote session so stolen passwords alone cannot be used as a working access path.
• Separate backup administration from routine access Restrict who can stop backup services, delete recovery points, or manage restoration tooling, and require isolated privileged accounts for those actions.

What's in the full article

Apono's full analysis covers the operational detail this post intentionally leaves for the source:

• 具体?
• Step-by-step hardening guidance for RDP exposure, MFA enforcement, and access-broker placement
• Monitoring logic for Defender disablement, Volume Shadow Copy deletion, and suspicious RDP login patterns
• Administrative separation guidance for backup services, SQL Server, and endpoint control planes

👉 Read Apono's analysis of Cephalus ransomware and stolen RDP credentials →

RDP credential theft and standing access: what teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →