Attacks/Breaches
10/23/2012
12:01 PM
Connect Directly
RSS
E-Mail
50%
50%

Russian Service Rents Access To Hacked Corporate PCs

Service provides stolen remote desktop protocol credentials, letting buyers remotely log in to corporate servers and PCs, bypassing numerous security defenses.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Want to infiltrate a business? An online service sells access credentials for some of the world's biggest enterprises, enabling buyers to bypass security defenses and remotely log on to a server or PC located inside a corporate firewall.

That finding comes by way of a new report from information security reporter Brian Krebs, who's discovered a Russian-language service that traffics in stolen Remote Desktop Protocol (RDP) credentials. RDP is a proprietary Microsoft standard that allows for a remote computer to be controlled via a graphical user interface.

The RDP-renting service, dubbed Dedicatexpress.com, uses the tagline "The whole world in one service" and is advertised on multiple underground cybercrime forums. It serves as an online marketplace, linking RDP-credential buyers and sellers, and it currently offers access to 17,000 PCs and servers worldwide.

[ Do the recent U.S. bank hacks represent the new face of cyberwar? See Bank Hacks: Iran Blame Game Intensifies. ]

Here's how Dedicatexpress.com works: Hackers submit their stolen RDP credentials to the service, which pays them a commission for every rental. According to a screen grab published by Krebs, the top submitters are "lopster," with 12,254 rentals, followed by "_sz_", with 6,645 rentals. Interestingly, submitters can restrict what the machines may be used for--for example, specifying that machines aren't to be used to run online gambling operations or PayPal scams, or that they can't be run with administrator-level credentials.

New users pay $20 to join the site, after which they can search for available PC and server RDP credentials. Rental prices begin at just a few dollars and vary based on the machine's processor speed, upload and download bandwidth, and the length of time that the machine has been consistently available online.

According to Krebs, the site's managers have said they won't traffic in Russian RDP credentials, suggesting that the site's owners are based in Russia and don't wish to antagonize Russian authorities. According to security experts, Russian law enforcement agencies typically turn a blind eye to cybercrime gangs operating inside their borders, providing they don't target Russians, and that these gangs in fact occasionally assist authorities.

When reviewing the Dedicatexpress.com service, Krebs said he quickly discovered that access was being rented, for $4.55, to a system that was listed in the Internet address space assigned to Cisco, and that several machines in the IP address range assigned to Microsoft's managed hosting network were also available for rent. In the case of Cisco, the RDP credentials--username and password--were both "Cisco." Krebs reported that a Cisco source told him the machine in question was a "bad lab machine."

As the Cisco case highlights, poor username and password combinations, combined with remote-control applications, give attackers easy access to corporate networks.

Still, even complex usernames and passwords may not stop attackers. Since Dedicatexpress.com was founded in 2010, it's offered access to about 300,000 different systems in total, according to Krebs. Interestingly, 2010 was the same year that security researchers first discovered the Georbot Trojan application, which scans PCs for signs that remote-control software has been installed and then captures and transmits related credentials to attackers. Earlier this year, security researchers at ESET found that when a Georbot-infected PC was unable to contact its designated command-and-control server to receive instructions or transmit stolen data, it instead contacted a server based in the country of Georgia.

When it comes to built-in remote access to Windows machines, RDP technology was first included in the Windows XP Professional--but not Home--version of the operating system, and it has been included in every edition of Windows released since then. The current software is dubbed Remote Desktop Services (for servers) and Remote Desktop Connection (for clients).

Might Windows 8 security improvements help prevent unauthorized people from logging onto PCs using stolen remote desktop protocol credentials? That's not likely, since Microsoft's new operating system--set to debut later this week--includes the latest version, Remote Desktop Protocol 8.0, built in.

Microsoft has also released a free Windows 8 Remote Desktop application, filed in the "productivity" section of Windows Store. According to Microsoft, "the new Metro-style Remote Desktop app enables you to conveniently access your PC and all of your corporate resources from anywhere."

"As many of you already know, a salient feature of Windows Server 2012 and Windows 8 is the ability to deliver a rich user experience for remote desktop users on corporate LAN and WAN networks," read a recent blog post from Shanmugam Kulandaivel, a senior program manager in Microsoft's Remote Desktop Virtualization team.

Despite such capabilities now being built into numerous operating systems--including Linux and Mac OS X--many security experts recommend deactivating or removing such tools when they're not needed. "Personally, I am a big fan of uninstalling unnecessary software, and it is always sound advice to minimize one's software footprint and related attack surface," said Wolfgang Kandek, CTO of Qualys. He made those comments earlier this year, after the source code for Symantec's pcAnywhere Windows remote-access software was leaked to the Internet by hacktivists. Security experts were concerned that attackers might discover an exploitable zero-day vulnerability in the remote-access code, which would allow them to remotely access any machine that had the software installed.

A security information and event management system serves as a repository for all the security alerts and logging systems from a firm's devices. But this can be overkill for a company that is understaffed or has overestimated its security information needs. In our report, Does SIEM Make Sense For Your Company?, we discuss 10 questions to ask yourself in determining whether SIEM makes sense for you--and how to pick the right system if it does. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.