‍

Date of Incident: February 2025

VPN & RDP Credential Abuse: The First Indicators of Compromise

Blackpanda’s investigation determined that attackers had successfully authenticated to the Victim’s network using compromised credentials. Forensic review identified:

• Valid admin credentials used to log in from high-risk overseas IP addresses.
  
  
• Multiple failed login attempts preceding successful access—consistent with brute-force or credential-stuffing attacks.
  
  
• Remote Desktop Protocol (RDP) exposure on internet-facing systems without IP restrictions.
  
  
• Weak or reused passwords across administrative accounts.
  
  

While no malicious payload was executed during the investigation window, these conditions created a high likelihood of further exploitation had the compromise gone undetected.

‍

"We caught it before any encryption or theft, but the door was wide open for attackers to walk in."

‍

‍

ODIR in Action: Rapid Triage & Containment

Without an active IR-1 subscription, the Victim engaged Blackpanda’s ODIR service to perform urgent triage. The response team:

• Identified all accounts used by the attacker and confirmed credential compromise.
  
  
• Traced the source of logins to foreign IPs unrelated to business operations.
  
  
• Pinpointed exposed RDP services and recommended immediate access restrictions.
  
  
• Guided the Victim through credential resets and network lockdown measures.
  
  

A Critical Near-Miss

Although no ransomware deployment or data exfiltration was observed, the conditions mirrored those seen in pre-ransomware staging:

• Credential theft enabling administrative control.
  
  
• Open RDP facilitating remote access without MFA.
  
  
• Password reuse increasing the attack surface.
  
  

This combination could have escalated to full business disruption within hours if left unaddressed.

From ODIR to IR-1

Recognizing the severity of the exposure and the cost of reactive response, the Victim subscribed to Blackpanda IR-1 after the incident to secure:

• Zero-cost, unlimited incident response activation.
  
  
• Continuous Attack Surface Management (ASM) to detect open RDP or other exposed services.
  
  
• Integrated cyber insurance options for financial risk mitigation.
  ‍
  

Post-Incident Remediation Plan

Blackpanda provided a structured remediation roadmap:

Critical:

• Enforce complex password policies and rotation schedules.
  
  
• Implement MFA for all remote access methods (VPN, RDP).
  
  
• Remove all unnecessary internet-facing services.
  
  

High Priority:

• Audit firewall rules and restrict access to trusted IPs.
  
  
• Enable real-time alerting for suspicious login attempts.
  
  
• Conduct credential hygiene checks and remove dormant accounts.
  
  

Ongoing Risk Reduction:

• Regular penetration testing focused on remote access exposure.
  
  
• Security awareness training for staff on credential safety.
  
  
• Quarterly ASM reviews to detect changes in the attack surface.
  
  

IR-1: Always-On Cyber Emergency Coverage

Blackpanda’s IR-1 solution ensures 24/7 digital forensics and incident response coverage, proactive ASM monitoring, and discounted cyber insurance—removing delays, contracts, and uncertainty when incidents occur.

Already an IR-1 subscriber? You’re covered. Log in to view your ASM results or contact us at customercare@blackpanda.com to activate your coverage or request a quote.

‍

‍

Frequently Asked Questions

1) What happened in the Hong Kong EV charging provider cyber incident?

In February 2025, attackers used stolen admin credentials and exposed RDP to access a Hong Kong EV charging provider. Blackpanda contained the threat before ransomware or data theft.

2) How did attackers gain access to admin accounts?

They authenticated with compromised credentials following multiple failed attempts consistent with brute force or credential stuffing, targeting internet-exposed RDP.

3) Why is RDP exposure dangerous for SMEs?

Unrestricted, internet-facing RDP enables remote logins from anywhere. Without MFA and IP allowlists, attackers can reuse or brute-force credentials to gain admin access.

4) What did Blackpanda’s forensic investigation uncover?

Valid logins from overseas IPs, weak or reused passwords, and open RDP services. No encryption or exfiltration occurred during the investigation window.

5) How does Blackpanda IR-1 prevent credential compromise?

IR-1 provides unlimited incident response activation, continuous Attack Surface Management to detect exposures like RDP, and access to integrated cyber insurance for financial resilience.

‍

‍