Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Access Management

09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

'RDP Shops' Proliferate Throughout the Dark Web

For as little as $10, McAfee researchers found that they could buy access to the security and building automation systems of a US airport thanks to the proliferation of 'RDP shops' across the dark web.

With a little searching, along with $10, anyone searching the dark web earlier this year could buy access to the security and building automation systems for a major international airport.

Those stolen credentials are gone, but there's still plenty to buy.

On Wednesday, July 11, the McAfee Advanced Threat Research team released the results of months of research that showed a proliferation of so-called "RDP shops" -- abusing the Microsoft-developed Remote Desktop Protocol -- that now populate the dark web, selling access to any number of different enterprise systems thanks to bad password and other security practices.

While it's impossible to collect a definitive list of these RDP shops, McAfee researchers looked at a wide range of sites. Some small operations sold as few as 15 compromised connections, while one site -- the Russia-based Ultimate Anonymity Service (UAS) -- offered 40,000 different compromised RDP servers. During the course of their investigation, researchers noticed most large shops' prices varied by about 10% each day.

(Source: McAfee)
(Source: McAfee)

Researchers found groups were selling access to numerous Windows builds, from XP to Windows 10. Windows Server 2008 and 2012 were also available. Some prices were as low as $3.

However, these shops selling RDP credentials continue to grow as the world gets more connected.

"Some of the Markets have been around for several years now and steadily growing in size," John Fokker, head of cyber investigations for McAfee Advanced Threat Research, wrote in an email to Security Now. "Modern day society is connecting more and more devices with IoT, PoS, to the Internet, and these are not always secure -- cybercriminals take advantage of that. It is an easy and efficient way of entering a network, and harder to detect by basic security products."

RDP allows a user to access another PC, and is a popular tool used legitimately by many enterprise IT shops and service organizations. However, compromised RDP servers can be turned against networks by launching brute-force attacks with tools such as Hydra, NLBrute or RDP Forcer. These tools combine password dictionaries with stolen credentials.

Once inside, an attacker can create chaos within the network, launching any number of schemes. A $10 investment, for example, can produce a $40,000 ransomware attack. The SamSam attack earlier this year used stolen RDP credentials. (See Atlanta's Ransomware Attack Cost Around $2.6M Report.)

As part of the McAfee investigation, researchers found the compromised RDP server that would allow anyone to access the systems of the airport. Fokker wrote that the company is not releasing the name of the airport, but offered details of how his team found the access:

The account details for sale belonged to an admin account on that system [and] there were also other accounts belonging to 2 companies specializing in airport security; one in building automation and the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network would be a possible scenario. Another system that we found was directly accessible from the Internet through RDP. The account was associated with the airport's automated transit system, the passenger transport system that connects terminals. Working with the airport it was established that the system belonged to one of the airport's vendors.

Fokker added that at no time was passenger safety at risk, and McAfee has worked with the airport IT team to patch systems and get the RDP credentials removed from the dark web.

Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

In addition, McAfee has attempted to contact other companies that had their security compromised, and the findings have also been shared with the FBI and the US Department of Homeland Security.

A screenshot of Blackpass.bz -- one of the most popular RDP-shops\r\n(Source:  )\r\n
A screenshot of Blackpass.bz -- one of the most popular RDP-shops
\r\n(Source: )\r\n

The McAfee investigation also found that cybercriminals are conducting multiple different attacks once the systems are compromised, which can include starting "false flag" operations, pushing out spam, ransomware and cryptomining schemes, the latter now the most lucrative cybercrime. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

Fokker noted that most of these RDP shops operate in volume, which is one reason they can sell stolen credentials and access at such a low rate. He also noted that on occasion nation-states do get in the business of buying and selling, but in most cases it is cybercriminals selling to other groups.

"We believe that the marketplaces are mostly run by individuals and or cybercriminal groups with a financial incentive," Fokker noted. "The markets are set up in an Amazon-like fashion and make shopping for RDP access, Social Security Numbers, Credit Card or Bank details child's play … That being said, we wouldn't be surprised if a nation state is also shopping for access on one of these markets, due to the ease and plausible deniability."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-18
OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on t...
PUBLISHED: 2021-10-18
The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. Thi...
PUBLISHED: 2021-10-18
anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to, it was possible to craft ...
PUBLISHED: 2021-10-18
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
PUBLISHED: 2021-10-18
Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a `github:publish:pull-request` action and a parti...