Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:57 PM
Connect Directly

RDP Ports Prove Hot Commodities on the Dark Web

Remote desktop protocol access continues to thrive in underground markets, primarily to hackers who lack expertise to find exposed ports themselves.

Security trends come and go, but the sale of Remote Desktop Protocol (RDP) ports continues to thrive on the Dark Web as malicious hackers seek easier means of gaining access to corporate networks.

RDP is a Microsoft protocol and client interface used on several platforms including Windows, where it has been a native OS feature since Windows XP. Most of the time, RDP is used for legitimate remote administration: when companies outsource IT, or remote admins have to access a colleague's machine, they most commonly use RDP to connect to it.

But the same technologies that enable administrators to access remote machines can give hackers the keys they need to break into, move around, and steal data from enterprise targets.

"It really goes with the entire story of this growing crime-as-a-service market," says Ed Cabrera, chief cybersecurity officer at Trend Micro. The buying and selling of RDP credentials - like any other credentials bought and sold on the criminal underground - has evolved from one-stop shop transactional forums to a decentralized, specialized marketplace, he says. Attackers can buy RDP credentials in bulk or they can seek out data they need to target specific industries.

There are many actions a threat actor can take with RDP access (credential harvesting, account takeover, cryptocurrency mining among them) and it's easier for them to launch these threats if they have access to an RDP port. Skilled attackers often find the ports themselves by scanning infrastructure exposed to the Internet and using brute force to access open ports. Automated tools and the Shodan search engine help them find systems configured for RDP access online.

Still, many threat actors of all skill levels buy RDP access on the Dark Web, where the ports are hot commodities, as are tools to delete attackers' activity once their work is done.

"Knockoff versions of some popular tools proliferate as well once the original developers decide to no longer support their tools," write Flashpoint's Luke Rodeheffer, cybercrime intelligence analyst, and Mike Mimoso, editorial director, in a blog post on the topic. The tools continue to generate interest on Dark Web forums, primarily Russian-speaking marketplaces, according to Flashpoint.

How much will attackers spend on these credentials? It depends what they're looking for. Earlier this year, researchers on the McAfee Advanced Research Team found RDP access for a major international airport was being sold via Russian RDP shop UAS for the low price of $10. However, actors may pay more for access to specific sectors and/or high-value targets.

Chet Wisniewski, principal research scientist in Sophos' Office of the CTO, says the quantities of RDP ports available on the Dark Web have kept prices low, "almost identical to what we see with stolen credit cards," he says. "Same with RDP, there are tens of thousands of open RDP systems across the Internet."

So You Have RDP Credentials. Now What?

Once they have RDP credentials, an attacker can use their access to launch several attacks. Stolen usernames and passwords mark the initial attack vector in just about every cyberattack, Cabrera says, noting they help start phishing campaigns, ransomware, and data breaches. RDP access helps attackers target server infrastructure directly.

"If I get access to a server, to RDP, I can just launch the Web browser that's built in and download anything and everything I want to build on that system," says Wisniewski. It doesn't take an advanced attacker to abuse RDP; as he puts it, "even the dumbest criminal" can do a reasonable amount of damage.

Once they're inside, attackers typically target the passwords of admin accounts to maximize their system access. They might download and install low-level system tweaking software and use it to disable or reconfigure anti-malware software on the machine, Sophos researchers explained in a post on RDP and ransomware distribution. They may also turn off database services to leave files vulnerable, or upload and run their choice of ransomware.

"If it's handy for a system administrator, it's handy for a hacker," Wisniewski adds. If you have remote control software facing the Internet, any attacker can find and abuse it.

However, advanced attackers can do more damage with the same level of access.

Hotter Targets, Higher Prices

Less skilled attackers are more likely to purchase bulk RDP access on the Dark Web, Wisniewski adds, because they lack expertise to find open ports. Skilled hackers are more likely to seek out and purchase credentials to high-value targets; for example, defense contractors.

"It's not only identifying and selling in bulk," says Cabrera. "I think what's happening with RDP credentials, like other services and commodities, is that the criminals today are becoming a little more sophisticated in what they're looking for." Instead of selling credentials in bulk, they can categorize them and provide guaranteed persistence or system access.

Someone who finds 100 exposed RDP servers can instead of selling access on a forum for $10 each, figure out who they belong to, says Wisniewski. Low-value credentials sell in bulk for cheap, but high-value targets can go for markedly higher prices – up to tens of thousands of dollars. The high dollar value is limited to adversaries who want that specific access.

Oftentimes high-value targets are sold by attackers who harvested many RDP ports, conducted reconnaissance, and recognized they had something valuable but didn't want to risk exploiting it and facing criminal penalties. Rather than risk jail time, they take their findings to the Dark Web in hopes a more skilled attacker will want to buy it, he continues.

Cybercriminals are serving other criminals and becoming more sophisticated in the offerings they're able to provide, Cabrera explains. Not every criminal enterprise is the same, and those that provide the best services and commodities will continue to grow. "It is incredibly valuable for [RDP] to be sold in the criminal underground," he says.

How to Stay Safe: Get Offline

"The way you know it's been compromised is it's on the Internet at all," says Wisniewski. Under no circumstances should RDP ports be exposed online, and they should always go through a VPN and be protected with multi-factor authentication.

"That's table stakes for 2018," he continues. "If it's on the Internet, someone's going to make money with it.

He advises companies to lock down their servers so they have fewer capabilities if and when they are compromised. Make sure any system that is exposed, or available via VPN, is locked down so it can't access critical systems. Most organizations are smart enough to be scanning their own network interfaces to ensure they're offline, he says.

Breaching networks and servers via RDP ports remains of great interest to cybercriminals, according to Flashpoint, and there is a clear trend toward automating the process of detecting exposed RDP targets and brute-forcing access. The company recommends using complex passwords for RDP instances and avoiding relying on default or weak credentials.

"Flashpoint assesses with high confidence that cybercriminals will likely continue to use such automated technology to obtain illicit RDP access, breach servers, and remove traces of their activity," Flashpoint's blog says. Flashpoint predicts "with moderate confidence" that the potential for RDP access tools in cryptomining will drive their popularity among criminals.

Related Content:

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/18/2018 | 2:34:11 AM
Great article
I like your article. It is very informative and useful.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.