Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Access Management

// // //
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

'RDP Shops' Proliferate Throughout the Dark Web

For as little as $10, McAfee researchers found that they could buy access to the security and building automation systems of a US airport thanks to the proliferation of 'RDP shops' across the dark web.

With a little searching, along with $10, anyone searching the dark web earlier this year could buy access to the security and building automation systems for a major international airport.

Those stolen credentials are gone, but there's still plenty to buy.

On Wednesday, July 11, the McAfee Advanced Threat Research team released the results of months of research that showed a proliferation of so-called "RDP shops" -- abusing the Microsoft-developed Remote Desktop Protocol -- that now populate the dark web, selling access to any number of different enterprise systems thanks to bad password and other security practices.

While it's impossible to collect a definitive list of these RDP shops, McAfee researchers looked at a wide range of sites. Some small operations sold as few as 15 compromised connections, while one site -- the Russia-based Ultimate Anonymity Service (UAS) -- offered 40,000 different compromised RDP servers. During the course of their investigation, researchers noticed most large shops' prices varied by about 10% each day.

(Source: McAfee)
(Source: McAfee)

Researchers found groups were selling access to numerous Windows builds, from XP to Windows 10. Windows Server 2008 and 2012 were also available. Some prices were as low as $3.

However, these shops selling RDP credentials continue to grow as the world gets more connected.

"Some of the Markets have been around for several years now and steadily growing in size," John Fokker, head of cyber investigations for McAfee Advanced Threat Research, wrote in an email to Security Now. "Modern day society is connecting more and more devices with IoT, PoS, to the Internet, and these are not always secure -- cybercriminals take advantage of that. It is an easy and efficient way of entering a network, and harder to detect by basic security products."

RDP allows a user to access another PC, and is a popular tool used legitimately by many enterprise IT shops and service organizations. However, compromised RDP servers can be turned against networks by launching brute-force attacks with tools such as Hydra, NLBrute or RDP Forcer. These tools combine password dictionaries with stolen credentials.

Once inside, an attacker can create chaos within the network, launching any number of schemes. A $10 investment, for example, can produce a $40,000 ransomware attack. The SamSam attack earlier this year used stolen RDP credentials. (See Atlanta's Ransomware Attack Cost Around $2.6M Report.)

As part of the McAfee investigation, researchers found the compromised RDP server that would allow anyone to access the systems of the airport. Fokker wrote that the company is not releasing the name of the airport, but offered details of how his team found the access:

The account details for sale belonged to an admin account on that system [and] there were also other accounts belonging to 2 companies specializing in airport security; one in building automation and the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network would be a possible scenario. Another system that we found was directly accessible from the Internet through RDP. The account was associated with the airport's automated transit system, the passenger transport system that connects terminals. Working with the airport it was established that the system belonged to one of the airport's vendors.

Fokker added that at no time was passenger safety at risk, and McAfee has worked with the airport IT team to patch systems and get the RDP credentials removed from the dark web.

Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

In addition, McAfee has attempted to contact other companies that had their security compromised, and the findings have also been shared with the FBI and the US Department of Homeland Security.

A screenshot of Blackpass.bz -- one of the most popular RDP-shops\r\n(Source:  )\r\n
A screenshot of Blackpass.bz -- one of the most popular RDP-shops
\r\n(Source: )\r\n

The McAfee investigation also found that cybercriminals are conducting multiple different attacks once the systems are compromised, which can include starting "false flag" operations, pushing out spam, ransomware and cryptomining schemes, the latter now the most lucrative cybercrime. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

Fokker noted that most of these RDP shops operate in volume, which is one reason they can sell stolen credentials and access at such a low rate. He also noted that on occasion nation-states do get in the business of buying and selling, but in most cases it is cybercriminals selling to other groups.

"We believe that the marketplaces are mostly run by individuals and or cybercriminal groups with a financial incentive," Fokker noted. "The markets are set up in an Amazon-like fashion and make shopping for RDP access, Social Security Numbers, Credit Card or Bank details child's play … That being said, we wouldn't be surprised if a nation state is also shopping for access on one of these markets, due to the ease and plausible deniability."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...