Application security, Threat Management, Threat Management, Malware, Phishing

Dark Web shops selling RDP connections on the cheap

A penny-pinching cybercriminal doesn't even have to break a $20 bill to gain the credentials to hack into an institution as critical as a major metropolitan airport, according to McAfee study.

McAfee Advanced Threat Research team conducted a study of the Dark Web and found many online platforms selling remote desktop protocol (RDP) access to machines previously hacked. One of which offered access to a device associated with a major international airport could be bought for only $10.

“Attacking a high-value network can be as easy and cheap as going underground and making a simple purchase. Cybercriminals like the SamSam group only have to spend an initial $10 dollars to get access and are charging $40K ransom for decryption, not a bad return on investment,” wrote John Fokker, McAfee's head of cyber investigations for McAfee Advanced Threat Research.

Obtaining the RDP connections is a simple matter of scanning the web for systems that accept RDP connections and then launching a brute force attack to uncover the credentials.

The team found a plethora of Dark Web stores selling these credentials. The inventory carried by the stories varied greatly with some only have a dozen or so RDP connections for sale to 40,000.

The stolen and then purchased RDP connections were found to be used for a wide variety of criminal activity, including Account abuse, credential harvesting and extortion to spam and as a false flag to cover other illicit cyber operations. Cryptomining is also a growing use model for RDP connections, McAfee found.

“The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around US $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights,” Fokker said.

Among the more popular RDP connections being sold belonged to government and healthcare facilities. Fokker noted the SamSam ransomware group may have used an RDP shop. Recently, Atlanta and the Colorado Department of Transportation were both hit with SamSam with the Atlanta attack costing that city about $10 million in recovery fees.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.