Flashpoint researchers report that Dark Web marketplaces selling access to compromised Remote Desktop Protocol (RDP) servers have become increasingly popular over the past few years — including RDPs sourced from healthcare, education and government entities.
One online shop, UAS (Ultimate Anonymity Services), in operation since February 2016, offers more than 35,000 brute forced RDPs for sale — 7,216 from China, 6,143 from Brazil, 3,062 from India, 1,335 from Spain and 929 from Colombia, among others.
UAS offers about 300 U.S.-based RDPs, with notable concentrations in Ashburn, Virginia (52 RDPs), Franklin County, Ohio (52 RDPs), Santa Clara County, California (43 RDPs), Clackamas County, Oregon (36 RDPs) and Alameda County, California (30 RDPs).
“Such concentration possibly indicates opportunistic exploitation of a handful of companies utilizing multiple RDPs; it is likely that these companies have lax security measures, leading to a greater number of vulnerable RDPs,” the researchers note.
Pricing on UAS ranges from $3 to $15 depending on the operating system, location, how recently the RDP was added to the site, and whether the RDP has an open port 25.
“As RDPs are set up for remote access to an office’s resources, they provide an initial vector into the target organization,” the researchers write. “By elevating privileges, threat actors can pivot from the environment to which the RDP server provided access to other, more target-rich environments. This could potentially allow actors access to proprietary internal documents or resources, as well as entry points in which to drop various payloads.”
Remote Access Risks
In response, Flashpoint recommends that organizations conduct audits and reviews of any externally accessible RDP connections to their networks, and ensure that RDP access is protected with a strong and complex password.
Tyler Reguly, manager of Tripwire‘s Vulnerability and Exposure Research Team, told eSecurity Planet by email that any remote access presents a risk, but those providing access to a corporate network should be handled with particular care. “Attackers are constantly working to gain access to new systems to use to mask their identity, to gather data, or just to spread their tools across more hosts,” he said.
And any form of remote access, Reguly said, should leverage two-factor authentication (2FA). “It doesn’t matter if employees complain, if the service doesn’t seem important enough for the investment, or if you’re only setting it up ‘temporarily’ (we all know it’ll become permanent),” he said. “2FA ensures that weak or leaked passwords will not lead to organizational compromise.”
As more and more Dark Web marketplaces pop up, AlienVault security advocate Javvad Malik said, companies should seek threat intelligence to monitor the Dark Web and see where their credentials may be being traded.
“As monitoring and collecting Dark Web data can be labor intensive, it can make sense to outsource the activity to a specialist company that can monitor the Dark Web and provide alerts as to whether employee or customer data or credentials are included in any breaches and are being actively traded on the Dark Web,” Malik said.
That may also mean reaching beyond the Dark Web into a world that’s harder to monitor. A recent IntSights report entitled Messaging Applications: The New Dark Web suggests that cyber criminals are responding to the crackdown on Dark Web markets like AlphaBay and Hansa by migrating instead to messaging apps such as Discord, ICQ, Skype, Telegram and WhatsApp.
“The anonymity provided by Dark Web networks such as Tor and i2p was the key reason for their popularity among cyber criminals,” IntSights CEO and co-founder Guy Nizan said in a statement. “Now that the Dark Web is no longer safe for hackers and threat actors, they are moving to messaging platforms and brazenly conducting their illicit activities on the same apps that millions use every day.”
Via group chats that can only be accessed with an invite link, the report states, as many as several hundred thousand users are leveraging mobile messaging apps to trade stolen credit card data, account credentials, malware and drugs, and to discuss hacking methods and ideas.
The report tracks a steady increase in mobile messaging invite links shared on Dark Web cybercrime forums over the past year — according to the report, Discord is becoming the go-to app for these discussions, with nearly nine times as many invites as the second most popular app.
“While more traditional forms of communication required an individual to have at least a basic level of knowledge of which sites to visit and how, in addition to the use of a dedicated browser over a desktop computer, today’s black market is accessible more than ever, with the tap of a finger over a portable pocket-held device,” the report states. “This could prove to cause a proliferation of low-level cybercrime that is conducted by less qualified perpetrators.”