Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Access Management

7/11/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

'RDP Shops' Proliferate Throughout the Dark Web

For as little as $10, McAfee researchers found that they could buy access to the security and building automation systems of a US airport thanks to the proliferation of 'RDP shops' across the dark web.

With a little searching, along with $10, anyone searching the dark web earlier this year could buy access to the security and building automation systems for a major international airport.

Those stolen credentials are gone, but there's still plenty to buy.

On Wednesday, July 11, the McAfee Advanced Threat Research team released the results of months of research that showed a proliferation of so-called "RDP shops" -- abusing the Microsoft-developed Remote Desktop Protocol -- that now populate the dark web, selling access to any number of different enterprise systems thanks to bad password and other security practices.

While it's impossible to collect a definitive list of these RDP shops, McAfee researchers looked at a wide range of sites. Some small operations sold as few as 15 compromised connections, while one site -- the Russia-based Ultimate Anonymity Service (UAS) -- offered 40,000 different compromised RDP servers. During the course of their investigation, researchers noticed most large shops' prices varied by about 10% each day.

Researchers found groups were selling access to numerous Windows builds, from XP to Windows 10. Windows Server 2008 and 2012 were also available. Some prices were as low as $3.

However, these shops selling RDP credentials continue to grow as the world gets more connected.

"Some of the Markets have been around for several years now and steadily growing in size," John Fokker, head of cyber investigations for McAfee Advanced Threat Research, wrote in an email to Security Now. "Modern day society is connecting more and more devices with IoT, PoS, to the Internet, and these are not always secure -- cybercriminals take advantage of that. It is an easy and efficient way of entering a network, and harder to detect by basic security products."

RDP allows a user to access another PC, and is a popular tool used legitimately by many enterprise IT shops and service organizations. However, compromised RDP servers can be turned against networks by launching brute-force attacks with tools such as Hydra, NLBrute or RDP Forcer. These tools combine password dictionaries with stolen credentials.

Once inside, an attacker can create chaos within the network, launching any number of schemes. A $10 investment, for example, can produce a $40,000 ransomware attack. The SamSam attack earlier this year used stolen RDP credentials. (See Atlanta's Ransomware Attack Cost Around $2.6M Report.)

As part of the McAfee investigation, researchers found the compromised RDP server that would allow anyone to access the systems of the airport. Fokker wrote that the company is not releasing the name of the airport, but offered details of how his team found the access:

The account details for sale belonged to an admin account on that system [and] there were also other accounts belonging to 2 companies specializing in airport security; one in building automation and the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network would be a possible scenario. Another system that we found was directly accessible from the Internet through RDP. The account was associated with the airport's automated transit system, the passenger transport system that connects terminals. Working with the airport it was established that the system belonged to one of the airport's vendors.

Fokker added that at no time was passenger safety at risk, and McAfee has worked with the airport IT team to patch systems and get the RDP credentials removed from the dark web.


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

In addition, McAfee has attempted to contact other companies that had their security compromised, and the findings have also been shared with the FBI and the US Department of Homeland Security.

The McAfee investigation also found that cybercriminals are conducting multiple different attacks once the systems are compromised, which can include starting "false flag" operations, pushing out spam, ransomware and cryptomining schemes, the latter now the most lucrative cybercrime. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

Fokker noted that most of these RDP shops operate in volume, which is one reason they can sell stolen credentials and access at such a low rate. He also noted that on occasion nation-states do get in the business of buying and selling, but in most cases it is cybercriminals selling to other groups.

"We believe that the marketplaces are mostly run by individuals and or cybercriminal groups with a financial incentive," Fokker noted. "The markets are set up in an Amazon-like fashion and make shopping for RDP access, Social Security Numbers, Credit Card or Bank details child's play … That being said, we wouldn't be surprised if a nation state is also shopping for access on one of these markets, due to the ease and plausible deniability."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...