Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Access Management

7/11/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

'RDP Shops' Proliferate Throughout the Dark Web

For as little as $10, McAfee researchers found that they could buy access to the security and building automation systems of a US airport thanks to the proliferation of 'RDP shops' across the dark web.

With a little searching, along with $10, anyone searching the dark web earlier this year could buy access to the security and building automation systems for a major international airport.

Those stolen credentials are gone, but there's still plenty to buy.

On Wednesday, July 11, the McAfee Advanced Threat Research team released the results of months of research that showed a proliferation of so-called "RDP shops" -- abusing the Microsoft-developed Remote Desktop Protocol -- that now populate the dark web, selling access to any number of different enterprise systems thanks to bad password and other security practices.

While it's impossible to collect a definitive list of these RDP shops, McAfee researchers looked at a wide range of sites. Some small operations sold as few as 15 compromised connections, while one site -- the Russia-based Ultimate Anonymity Service (UAS) -- offered 40,000 different compromised RDP servers. During the course of their investigation, researchers noticed most large shops' prices varied by about 10% each day.

Researchers found groups were selling access to numerous Windows builds, from XP to Windows 10. Windows Server 2008 and 2012 were also available. Some prices were as low as $3.

However, these shops selling RDP credentials continue to grow as the world gets more connected.

"Some of the Markets have been around for several years now and steadily growing in size," John Fokker, head of cyber investigations for McAfee Advanced Threat Research, wrote in an email to Security Now. "Modern day society is connecting more and more devices with IoT, PoS, to the Internet, and these are not always secure -- cybercriminals take advantage of that. It is an easy and efficient way of entering a network, and harder to detect by basic security products."

RDP allows a user to access another PC, and is a popular tool used legitimately by many enterprise IT shops and service organizations. However, compromised RDP servers can be turned against networks by launching brute-force attacks with tools such as Hydra, NLBrute or RDP Forcer. These tools combine password dictionaries with stolen credentials.

Once inside, an attacker can create chaos within the network, launching any number of schemes. A $10 investment, for example, can produce a $40,000 ransomware attack. The SamSam attack earlier this year used stolen RDP credentials. (See Atlanta's Ransomware Attack Cost Around $2.6M Report.)

As part of the McAfee investigation, researchers found the compromised RDP server that would allow anyone to access the systems of the airport. Fokker wrote that the company is not releasing the name of the airport, but offered details of how his team found the access:

The account details for sale belonged to an admin account on that system [and] there were also other accounts belonging to 2 companies specializing in airport security; one in building automation and the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network would be a possible scenario. Another system that we found was directly accessible from the Internet through RDP. The account was associated with the airport's automated transit system, the passenger transport system that connects terminals. Working with the airport it was established that the system belonged to one of the airport's vendors.

Fokker added that at no time was passenger safety at risk, and McAfee has worked with the airport IT team to patch systems and get the RDP credentials removed from the dark web.


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

In addition, McAfee has attempted to contact other companies that had their security compromised, and the findings have also been shared with the FBI and the US Department of Homeland Security.

The McAfee investigation also found that cybercriminals are conducting multiple different attacks once the systems are compromised, which can include starting "false flag" operations, pushing out spam, ransomware and cryptomining schemes, the latter now the most lucrative cybercrime. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

Fokker noted that most of these RDP shops operate in volume, which is one reason they can sell stolen credentials and access at such a low rate. He also noted that on occasion nation-states do get in the business of buying and selling, but in most cases it is cybercriminals selling to other groups.

"We believe that the marketplaces are mostly run by individuals and or cybercriminal groups with a financial incentive," Fokker noted. "The markets are set up in an Amazon-like fashion and make shopping for RDP access, Social Security Numbers, Credit Card or Bank details child's play … That being said, we wouldn't be surprised if a nation state is also shopping for access on one of these markets, due to the ease and plausible deniability."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.