'RDP Shops' Proliferate Throughout the Dark Web

With a little searching, along with $10, anyone searching the dark web earlier this year could buy access to the security and building automation systems for a major international airport.

Those stolen credentials are gone, but there's still plenty to buy.

On Wednesday, July 11, the McAfee Advanced Threat Research team released the results of months of research that showed a proliferation of so-called "RDP shops" -- abusing the Microsoft-developed Remote Desktop Protocol -- that now populate the dark web, selling access to any number of different enterprise systems thanks to bad password and other security practices.

While it's impossible to collect a definitive list of these RDP shops, McAfee researchers looked at a wide range of sites. Some small operations sold as few as 15 compromised connections, while one site -- the Russia-based Ultimate Anonymity Service (UAS) -- offered 40,000 different compromised RDP servers. During the course of their investigation, researchers noticed most large shops' prices varied by about 10% each day.

(Source: McAfee)

Researchers found groups were selling access to numerous Windows builds, from XP to Windows 10. Windows Server 2008 and 2012 were also available. Some prices were as low as $3.

However, these shops selling RDP credentials continue to grow as the world gets more connected.

"Some of the Markets have been around for several years now and steadily growing in size," John Fokker, head of cyber investigations for McAfee Advanced Threat Research, wrote in an email to Security Now. "Modern day society is connecting more and more devices with IoT, PoS, to the Internet, and these are not always secure -- cybercriminals take advantage of that. It is an easy and efficient way of entering a network, and harder to detect by basic security products."

RDP allows a user to access another PC, and is a popular tool used legitimately by many enterprise IT shops and service organizations. However, compromised RDP servers can be turned against networks by launching brute-force attacks with tools such as Hydra, NLBrute or RDP Forcer. These tools combine password dictionaries with stolen credentials.

Once inside, an attacker can create chaos within the network, launching any number of schemes. A $10 investment, for example, can produce a $40,000 ransomware attack. The SamSam attack earlier this year used stolen RDP credentials. (See Atlanta's Ransomware Attack Cost Around $2.6M – Report.)

As part of the McAfee investigation, researchers found the compromised RDP server that would allow anyone to access the systems of the airport. Fokker wrote that the company is not releasing the name of the airport, but offered details of how his team found the access:

"The account details for sale belonged to an admin account on that system [and] there were also other accounts belonging to 2 companies specializing in airport security; one in building automation and the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network would be a possible scenario. Another system that we found was directly accessible from the Internet through RDP. The account was associated with the airport's automated transit system, the passenger transport system that connects terminals. Working with the airport it was established that the system belonged to one of the airport's vendors."

Fokker added that at no time was passenger safety at risk, and McAfee has worked with the airport IT team to patch systems and get the RDP credentials removed from the dark web.

Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

In addition, McAfee has attempted to contact other companies that had their security compromised, and the findings have also been shared with the FBI and the US Department of Homeland Security.

A screenshot of Blackpass.bz -- one of the most popular RDP-shops
\r\n(Source: )\r\n

The McAfee investigation also found that cybercriminals are conducting multiple different attacks once the systems are compromised, which can include starting "false flag" operations, pushing out spam, ransomware and cryptomining schemes, the latter now the most lucrative cybercrime. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

Fokker noted that most of these RDP shops operate in volume, which is one reason they can sell stolen credentials and access at such a low rate. He also noted that on occasion nation-states do get in the business of buying and selling, but in most cases it is cybercriminals selling to other groups.

"We believe that the marketplaces are mostly run by individuals and or cybercriminal groups with a financial incentive," Fokker noted. "The markets are set up in an Amazon-like fashion and make shopping for RDP access, Social Security Numbers, Credit Card or Bank details child's play … That being said, we wouldn't be surprised if a nation state is also shopping for access on one of these markets, due to the ease and plausible deniability."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.