Remote desktop protocol access continues to thrive in underground markets, primarily to hackers who lack expertise to find exposed ports themselves.

Kelly Sheridan, Former Senior Editor, Dark Reading

September 17, 2018

7 Min Read

Security trends come and go, but the sale of Remote Desktop Protocol (RDP) ports continues to thrive on the Dark Web as malicious hackers seek easier means of gaining access to corporate networks.

RDP is a Microsoft protocol and client interface used on several platforms including Windows, where it has been a native OS feature since Windows XP. Most of the time, RDP is used for legitimate remote administration: when companies outsource IT, or remote admins have to access a colleague's machine, they most commonly use RDP to connect to it.

But the same technologies that enable administrators to access remote machines can give hackers the keys they need to break into, move around, and steal data from enterprise targets.

"It really goes with the entire story of this growing crime-as-a-service market," says Ed Cabrera, chief cybersecurity officer at Trend Micro. The buying and selling of RDP credentials - like any other credentials bought and sold on the criminal underground - has evolved from one-stop shop transactional forums to a decentralized, specialized marketplace, he says. Attackers can buy RDP credentials in bulk or they can seek out data they need to target specific industries.

There are many actions a threat actor can take with RDP access (credential harvesting, account takeover, cryptocurrency mining among them) and it's easier for them to launch these threats if they have access to an RDP port. Skilled attackers often find the ports themselves by scanning infrastructure exposed to the Internet and using brute force to access open ports. Automated tools and the Shodan search engine help them find systems configured for RDP access online.

Still, many threat actors of all skill levels buy RDP access on the Dark Web, where the ports are hot commodities, as are tools to delete attackers' activity once their work is done.

"Knockoff versions of some popular tools proliferate as well once the original developers decide to no longer support their tools," write Flashpoint's Luke Rodeheffer, cybercrime intelligence analyst, and Mike Mimoso, editorial director, in a blog post on the topic. The tools continue to generate interest on Dark Web forums, primarily Russian-speaking marketplaces, according to Flashpoint.

How much will attackers spend on these credentials? It depends what they're looking for. Earlier this year, researchers on the McAfee Advanced Research Team found RDP access for a major international airport was being sold via Russian RDP shop UAS for the low price of $10. However, actors may pay more for access to specific sectors and/or high-value targets.

Chet Wisniewski, principal research scientist in Sophos' Office of the CTO, says the quantities of RDP ports available on the Dark Web have kept prices low, "almost identical to what we see with stolen credit cards," he says. "Same with RDP, there are tens of thousands of open RDP systems across the Internet."

So You Have RDP Credentials. Now What?

Once they have RDP credentials, an attacker can use their access to launch several attacks. Stolen usernames and passwords mark the initial attack vector in just about every cyberattack, Cabrera says, noting they help start phishing campaigns, ransomware, and data breaches. RDP access helps attackers target server infrastructure directly.

"If I get access to a server, to RDP, I can just launch the Web browser that's built in and download anything and everything I want to build on that system," says Wisniewski. It doesn't take an advanced attacker to abuse RDP; as he puts it, "even the dumbest criminal" can do a reasonable amount of damage.

Once they're inside, attackers typically target the passwords of admin accounts to maximize their system access. They might download and install low-level system tweaking software and use it to disable or reconfigure anti-malware software on the machine, Sophos researchers explained in a post on RDP and ransomware distribution. They may also turn off database services to leave files vulnerable, or upload and run their choice of ransomware.

"If it's handy for a system administrator, it's handy for a hacker," Wisniewski adds. If you have remote control software facing the Internet, any attacker can find and abuse it.

However, advanced attackers can do more damage with the same level of access.

Hotter Targets, Higher Prices

Less skilled attackers are more likely to purchase bulk RDP access on the Dark Web, Wisniewski adds, because they lack expertise to find open ports. Skilled hackers are more likely to seek out and purchase credentials to high-value targets; for example, defense contractors.

"It's not only identifying and selling in bulk," says Cabrera. "I think what's happening with RDP credentials, like other services and commodities, is that the criminals today are becoming a little more sophisticated in what they're looking for." Instead of selling credentials in bulk, they can categorize them and provide guaranteed persistence or system access.

Someone who finds 100 exposed RDP servers can instead of selling access on a forum for $10 each, figure out who they belong to, says Wisniewski. Low-value credentials sell in bulk for cheap, but high-value targets can go for markedly higher prices – up to tens of thousands of dollars. The high dollar value is limited to adversaries who want that specific access.

Oftentimes high-value targets are sold by attackers who harvested many RDP ports, conducted reconnaissance, and recognized they had something valuable but didn't want to risk exploiting it and facing criminal penalties. Rather than risk jail time, they take their findings to the Dark Web in hopes a more skilled attacker will want to buy it, he continues.

Cybercriminals are serving other criminals and becoming more sophisticated in the offerings they're able to provide, Cabrera explains. Not every criminal enterprise is the same, and those that provide the best services and commodities will continue to grow. "It is incredibly valuable for [RDP] to be sold in the criminal underground," he says.

How to Stay Safe: Get Offline

"The way you know it's been compromised is it's on the Internet at all," says Wisniewski. Under no circumstances should RDP ports be exposed online, and they should always go through a VPN and be protected with multi-factor authentication.

"That's table stakes for 2018," he continues. "If it's on the Internet, someone's going to make money with it.

He advises companies to lock down their servers so they have fewer capabilities if and when they are compromised. Make sure any system that is exposed, or available via VPN, is locked down so it can't access critical systems. Most organizations are smart enough to be scanning their own network interfaces to ensure they're offline, he says.

Breaching networks and servers via RDP ports remains of great interest to cybercriminals, according to Flashpoint, and there is a clear trend toward automating the process of detecting exposed RDP targets and brute-forcing access. The company recommends using complex passwords for RDP instances and avoiding relying on default or weak credentials.

"Flashpoint assesses with high confidence that cybercriminals will likely continue to use such automated technology to obtain illicit RDP access, breach servers, and remove traces of their activity," Flashpoint's blog says. Flashpoint predicts "with moderate confidence" that the potential for RDP access tools in cryptomining will drive their popularity among criminals.

Related Content:

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights