- Dark web markets selling remote desktop protocol (RDP) access have become all the rage.
- Security researchers found access being sold to a single compromised system on numerous dark web markets.
Security researchers have discovered dark web markets filled with little shops currently selling access to numerous government and private systems across the globe. These access credentials were harvested from numerous organizations, including government entities, that were using weak passwords while using Microsoft’s remote desktop protocol (RDP) feature.
Microsoft’s RDP is a proprietary protocol designed to facilitate administrators’ access to systems. RDP allows a user to remotely access another machine. However, hackers have increasingly begun to abuse RDP to gain unfettered access to computers and conduct malicious activities undetected.
Security researchers at McAfee, who uncovered the dark web sales of RDPs, said they found cybercriminals selling access to the security automated systems of a major international airport for just $10.
Dark Web RDP shops
The dark web has numerous RDP shops currently selling access to hacked machines. Taking a look at Russian dark web market Ultimate Anonymity Service (UAS), McAfee researchers found RDP shops ranging in size from 15 to 40,000 RDP connections - all for sale.
Researchers found RDPs sold for systems ranging from Windows XP to Windows 10. Prices ranged from $3 for configuration to $19 for a high-bandwidth system that came with admin access rights.
“Among the thousands of RDP-access systems offered, some configurations stood out. We found hundreds of identically configured Windows Embedded Standard machines for sale at UAS Shop and BlackPass; all these machines were in the Netherlands,” McAfee researchers wrote in a blog.
“The configurations are associated with several municipalities, housing associations, and health care institutions in the Netherlands.”
The researchers also found shops selling RDP access to government systems across the globe. Dozens of these RDP connections were linked to healthcare organizations, including hospitals, nursing homes and medical equipment suppliers.
“In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops. The second-largest RDP shop we researched, BlackPass, offered the widest variety of products,” McAfee researchers added.
“The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts.”
Why is RDP access valuable to hackers?
Since RDPs allow hackers to gain admin access of systems, cybercriminals don’t have to rely on other tools, such as malware or create elaborate phishing campaigns, just for the initial intrusion.
RDPs also allow attackers to mask their presence and malicious activities on a victim’s system, creating false flags for investigators. In other words, RDPs offer effective means for attackers and their malicious activities to to evadedetection and go largely unnoticed.
The wide array of data that hackers gain access to via RDPs could allow them to steal additional financial and sensitive credentials, that can be leveraged to conduct other crimes, including identity theft, credit card fraud, account takeovers and more.
RDPs also allow ransomware operators to distribute their malware without using social engineering techniques such as phishing or use exploit kits. For instance, the recent SamSam ransomware attack leveraged RDP to invade and infect systems undetected.
“Cybercriminals like the SamSam group only have to spend an initial $10 dollars to get access and are charging $40K ransom for decryption, not a bad return on investment,” McAfee researchers noted.
RDPs must be more secure
Despite governments and enterprises spending billions of dollars on securing systems, sensitive information will likely still be accessed and stolen if potential backdoors such as weakly-protected RDPs still exist.
“Remotely accessing systems is essential for system administrators to perform their duties. Yet they must take the time to set up remote access in a way that is secure and not easily exploitable,” McAfee researchers concluded. “RPD shops are stockpiling addresses of vulnerable machines and have reduced the effort of selecting victims by hackers to a simple online purchase.”