Russian dark web marketplace Ultimate Anonymity Services (UAS) was recently observed selling more than 35,000 compromised Remote Desktop Protocol servers, which cyber-criminals can leverage to anonymise themselves or to directly access victims' networks, according to an analysis from Flashpoint.
Developed by Microsoft, the RDP protocol provides users with a graphical interface for remotely accessing another user's systems over a network connection. Machines that do the connecting employ an RDP client, while those that are accessed use an RDP server.
But when an RDP server is compromised, attackers can leverage it to gain a foothold into an organisation, before pivoting to more valuable network systems. "This could potentially allow actors access to proprietary internal documents or resources, as well as entry points in which to drop various payloads," explained Flashpoint Intelligence Analyst Olivia Rowley and Director of Research Vitali Kremez, in a company blog post detailing the research.
Last month, Flashpoint found tens of thousands of brute-forced compromised RDP servers being sold on UAS for as little as £2 to £7 each, the blog post continues. Newly compromised servers, or ones with an open port 25, cost slightly more, but the price never exceeded apx £11.
UAS' competitive pricing makes it a formidable competitor to fellow Russian dark web marketplace xDedic, whose prices prices range from £7 to £70, the blog post notes. "Overall, Flashpoint assesses with moderate confidence that UAS's lower prices may contribute to the growing popularity of the shop among cyber-criminals," state Rowley and Kremez. "Indeed, Flashpoint analysts' predicative forecasting determined that cyber-criminal interest in UAS will likely continue growing."
Further analysis shows that high concentrations of UAS' infected servers reside in China (7,216), Brazil (6,143), India (3,062), Spain (1,335) and Colombia (929). US-hosted servers weren't entirely immune either, as Flashpoint researchers discovered roughly 300 of them on UAB. Interestingly, many of them shared the same zip codes, suggesting that bad actors may exploited the RDPs of a specific company or companies located within certain geographic areas.
For instance, the Russian marketplace was observed selling 52 compromised RDP servers each in US districts Ashburn, Virginia and Franklin County, Ohio. And Santa Clara County, California, Clackamas County, Oregon, and Alameda County California were each discovered playing host to dozens of compromised servers.
The shop does not, however, sell any RDP servers hosted in the former Soviet nations making up the Commonwealth of Independent States (CIS).
In addition to RDPs, UAS also sells SOCKS proxies, the report notes.