Hackers may be able to buy access to your company’s network on the dark web for cheap.
McAfee threat researchers recently discovered that access linked to security and building automation systems of a major international airport could be bought for just $10 on a dark web RDP shop — an online platform selling remote desktop protocol (RDP) access.
Luckily, the researchers found the RDP for sale soon after hackers uploaded it into the shop. They immediately notified the airport, which shut it down before attackers could access the systems.
“But there are multiple shops out there constantly adding new connections all the same,” said Raj Samani, chief scientist at McAfee.
Microsoft developed RDP to allow a user with a graphical interface to connect to another computer over a network.
“It’s a really useful protocol,” Samani said. For example, a company’s suppliers can use RDP to make sure the systems are working as intended. It also allows remote users to connect to servers. “It’s a really powerful tool,” Samani said. “The issue is that criminals like to use the same tools we use.”
Dark Web RDP Shops
RDP shops make network access really cheap and easy for attackers. They don’t need to create a phishing campaign or invest in malware obfuscation or exploit kits. All they have to do is buy RDP access, and once they gain access they can easily infiltrate the systems.
Case in point: the recent SamSam ransomware attack that hit Atlanta in March. It shut down online services and cost the city more than $2.6 million in recovery (the city did not pay the ransom). In this event and earlier SamSam attacks hackers gained access to servers via RDP.
“Attacking a high-value network can be as easy and cheap as going underground and making a simple purchase,” wrote McAfee’s John Fokker in a blog post. “Cybercriminals like the SamSam group only have to spend an initial $10 to get access and are charging $40K ransom for decryption, not a bad return on investment.”
In its investigation, the McAfee Advanced Threat Research team identified “thousands and thousands” of systems with RDP access for sale via these dark web shops, Samani said. “And they were selling access, which included user names and passwords for these particular systems. One shop had 40,000 connections they were selling online,” he added. This particular shop is the Russia-based Ultimate Anonymity Service (UAS).
US Systems Being Sold
The researchers also found multiple U.S. government systems being sold worldwide on these shops, as well as dozens of connections linked to health care institutions ranging from hospitals and nursing homes to suppliers of medical equipment.
In addition to selling RDP access, some of them sell social security numbers, credit card data, and logins.
Samani said the research provides good insight into the cybercrime economy. It isn’t all about artificial intelligence (AI) and machine learning (ML), he added: “People talk about ML and AI, and yet the reality is in many cases it’s simple: go in, buy access, use that access, do something bad with it, and make money,” he said.
Basic RDP Security
It also points to the larger problem of organizations “leaving the backdoor open” for cybercriminals, he said. RDP is a growing threat that companies should worry about because it makes it attackers’ jobs so easy.
“People think of cybercrime like the Matrix, you need the powers of Neo to get in, but the reality is most criminals go after that low-hanging fruit,” Samani said. “There is literally no lower hanging fruit than this. It’s on the ground.”
So how can companies protect their systems? First, ensure everyone with network access is using complex passwords. “If your suppliers want to have access into your environment, make sure their passwords are strong, and not the same password across every one of their customers,” he said. “Two-factor authentication is important.”
Also, don’t allow RDP connections over the open internet.
Regularly check event logs for unusual login attempts. “And consider locking out users after too many failed log in attempts,” Samani said. This will help prevent brute-force tools that use automation to generate a massive amount of consecutive user name and password guesses to obtain access.
It’s important to remember that “there’s an entire marketplace” selling RDP access, he added. “There are basic steps and measures everyone should take to prevent them from falling foul of the same issues.”