Dark Web shops selling RDP connections on the cheap

News by Doug Olenick

A penny-pinching cybercriminal doesn't even have to break a US$ 20 bill (£15) to gain the credentials to hack into an institution as critical as a major metropolitan airport, according to McAfee study.

A penny-pinching cybercriminal doesn't even have to break a US$ 20 bill (£15) to gain the credentials to hack into an institution as critical as a major metropolitan airport, according to McAfee study.

McAfee Advanced Threat Research team conducted a study of the Dark Web and found many online platforms selling remote desktop protocol (RDP) access to machines previously hacked. One of which offered access to a device associated with a major international airport could be bought for only US$ 10 (£8).

"Attacking a high-value network can be as easy and cheap as going underground and making a simple purchase. Cyber-criminals like the SamSam group only have to spend an initial US$ 10 dollars (£8) to get access and are charging US$ 40K (£30K) ransom for decryption, not a bad return on investment," wrote John Fokker, McAfee's head of cyber-investigations for McAfee Advanced Threat Research.

Obtaining the RDP connections is a simple matter of scanning the web for systems that accept RDP connections and then launching a brute force attack to uncover the credentials.

The team found a plethora of Dark Web stores selling these credentials. The inventory carried by the stories varied greatly with some only have a dozen or so RDP connections for sale to 40,000.

The stolen and then purchased RDP connections were found to be used for a wide variety of criminal activity, including Account abuse, credential harvesting and extortion to spam and as a false flag to cover other illicit cyber-operations. Cryptomining is also a growing use model for RDP connections, McAfee found.

"The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around US$ 3 (£2) for a simple configuration to US$ 19 (£14) for a high-bandwidth system that offered access with administrator rights," Fokker said.

Among the more popular RDP connections being sold belonged to government and healthcare facilities. Fokker noted the SamSam ransomware group may have used an RDP shop. Recently, Atlanta and the Colorado Department of Transportation were both hit with SamSam with the Atlanta attack costing that city about US$ 10 million (£7.6 million) in recovery fees.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events