Attacks/Breaches
10/23/2012
12:01 PM
50%
50%

Russian Service Rents Access To Hacked Corporate PCs

Service provides stolen remote desktop protocol credentials, letting buyers remotely log in to corporate servers and PCs, bypassing numerous security defenses.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Want to infiltrate a business? An online service sells access credentials for some of the world's biggest enterprises, enabling buyers to bypass security defenses and remotely log on to a server or PC located inside a corporate firewall.

That finding comes by way of a new report from information security reporter Brian Krebs, who's discovered a Russian-language service that traffics in stolen Remote Desktop Protocol (RDP) credentials. RDP is a proprietary Microsoft standard that allows for a remote computer to be controlled via a graphical user interface.

The RDP-renting service, dubbed Dedicatexpress.com, uses the tagline "The whole world in one service" and is advertised on multiple underground cybercrime forums. It serves as an online marketplace, linking RDP-credential buyers and sellers, and it currently offers access to 17,000 PCs and servers worldwide.

[ Do the recent U.S. bank hacks represent the new face of cyberwar? See Bank Hacks: Iran Blame Game Intensifies. ]

Here's how Dedicatexpress.com works: Hackers submit their stolen RDP credentials to the service, which pays them a commission for every rental. According to a screen grab published by Krebs, the top submitters are "lopster," with 12,254 rentals, followed by "_sz_", with 6,645 rentals. Interestingly, submitters can restrict what the machines may be used for--for example, specifying that machines aren't to be used to run online gambling operations or PayPal scams, or that they can't be run with administrator-level credentials.

New users pay $20 to join the site, after which they can search for available PC and server RDP credentials. Rental prices begin at just a few dollars and vary based on the machine's processor speed, upload and download bandwidth, and the length of time that the machine has been consistently available online.

According to Krebs, the site's managers have said they won't traffic in Russian RDP credentials, suggesting that the site's owners are based in Russia and don't wish to antagonize Russian authorities. According to security experts, Russian law enforcement agencies typically turn a blind eye to cybercrime gangs operating inside their borders, providing they don't target Russians, and that these gangs in fact occasionally assist authorities.

When reviewing the Dedicatexpress.com service, Krebs said he quickly discovered that access was being rented, for $4.55, to a system that was listed in the Internet address space assigned to Cisco, and that several machines in the IP address range assigned to Microsoft's managed hosting network were also available for rent. In the case of Cisco, the RDP credentials--username and password--were both "Cisco." Krebs reported that a Cisco source told him the machine in question was a "bad lab machine."

As the Cisco case highlights, poor username and password combinations, combined with remote-control applications, give attackers easy access to corporate networks.

Still, even complex usernames and passwords may not stop attackers. Since Dedicatexpress.com was founded in 2010, it's offered access to about 300,000 different systems in total, according to Krebs. Interestingly, 2010 was the same year that security researchers first discovered the Georbot Trojan application, which scans PCs for signs that remote-control software has been installed and then captures and transmits related credentials to attackers. Earlier this year, security researchers at ESET found that when a Georbot-infected PC was unable to contact its designated command-and-control server to receive instructions or transmit stolen data, it instead contacted a server based in the country of Georgia.

When it comes to built-in remote access to Windows machines, RDP technology was first included in the Windows XP Professional--but not Home--version of the operating system, and it has been included in every edition of Windows released since then. The current software is dubbed Remote Desktop Services (for servers) and Remote Desktop Connection (for clients).

Might Windows 8 security improvements help prevent unauthorized people from logging onto PCs using stolen remote desktop protocol credentials? That's not likely, since Microsoft's new operating system--set to debut later this week--includes the latest version, Remote Desktop Protocol 8.0, built in.

Microsoft has also released a free Windows 8 Remote Desktop application, filed in the "productivity" section of Windows Store. According to Microsoft, "the new Metro-style Remote Desktop app enables you to conveniently access your PC and all of your corporate resources from anywhere."

"As many of you already know, a salient feature of Windows Server 2012 and Windows 8 is the ability to deliver a rich user experience for remote desktop users on corporate LAN and WAN networks," read a recent blog post from Shanmugam Kulandaivel, a senior program manager in Microsoft's Remote Desktop Virtualization team.

Despite such capabilities now being built into numerous operating systems--including Linux and Mac OS X--many security experts recommend deactivating or removing such tools when they're not needed. "Personally, I am a big fan of uninstalling unnecessary software, and it is always sound advice to minimize one's software footprint and related attack surface," said Wolfgang Kandek, CTO of Qualys. He made those comments earlier this year, after the source code for Symantec's pcAnywhere Windows remote-access software was leaked to the Internet by hacktivists. Security experts were concerned that attackers might discover an exploitable zero-day vulnerability in the remote-access code, which would allow them to remotely access any machine that had the software installed.

A security information and event management system serves as a repository for all the security alerts and logging systems from a firm's devices. But this can be overkill for a company that is understaffed or has overestimated its security information needs. In our report, Does SIEM Make Sense For Your Company?, we discuss 10 questions to ask yourself in determining whether SIEM makes sense for you--and how to pick the right system if it does. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.