Hackers are taking advantage of lax passwords used to access Remote Desktop Protocol services and selling them on to others to secretly scrape data.
Dark Web marketplaces are selling remote access to desktop PCs for as little as $3, allowing criminals to spy on firms without resorting to malware.
The sale of remote access credentials is allowing attackers to steal data from organisations in healthcare, education, government, retail, and other sectors.
In Window PCs, Microsoft’s Remote Desktop Protocol (RDP) allows individuals to remotely connect to that computer over a network, and is normally used to access virtual desktops, and for the remote management of systems.
But if attackers can compromise access to RDP, it can provide an easy way into a corporate network, opening the door for espionage, data breaches, and more.
As a result, RDP access credentials are increasingly being sold on the Dark Web and underground forums, where merchants offer access to tens of thousands of computers for as little as $3 for a Windows XP system to $9 for Windows 10.
With the right password, hackers can remotely access a network without the victim knowing they’re there.
Researchers at Flashpoint have been monitoring prominent criminal marketplaces that sell RDP details and have found access to systems around the world are up for sale. Often, brute force attacks against systems with poor passwords will allow these credentials to fall into criminal hands.
One of the most popular underground stores selling access is ‘Ultimate Anonymity Services’. Founded in early 2016, UAS offers over 35,000 RDP credentials for sale in a variety of countries and for a variety of Windows operating systems, from Windows XP to Windows 10.
The gang behind the store makes posts in Russian and English, and like many Eastern European-based operations, it doesn’t sell credentials of Russian or Baltic accounts. However, the rest of the world is fair game, and researchers found thousands of RDP details for computers in China, Brazil and India for sale on UAS.
UAS also offers hundreds of RDP credentials for targets across the United States – mostly focused around Virginia, Ohio and California.
Prices of compromised RDPs on UAS mostly range from $3 to $9, depending on location and operating system, but factors related to which ports the system has open and how recently the credentials were stolen can increase the price, although only to a maximum of $15.
UAS is far from the only online market place selling access to compromised RDPs. Flashpoint researchers analysed a competing cybercrime forum, xDedic, and found that while it also offers prices as low as $10 for RDP access, some prices reach $100 — although Flashpoint couldn’t determine why.
But one thing is clear: there’s an active market for compromised RDP credentials, which are being actively exploited by hackers.
The remote nature of the login means attackers can quietly and anonymously monitor the compromised network, enabling access to documents and other files, and providing systems on which to install malicious software.
In order to protect against exploitation of RDP, organisations should regularly review their systems and security, and put in place strong passwords to prevent brute force access to corporate environments.
In the meantime, researcher say this form of attack will grow in popularity as more cyber criminals realise that credentials are on sale at such a low price.