Threat Management, Network Security

Russian underground shop selling RDP servers for $15 or less

Russian dark web marketplace Ultimate Anonymity Services (UAS) was recently observed selling more than 35,000 compromised Remote Desktop Protocol servers, which cybercriminals can leverage to anonymize themselves or to directly access victims' networks, according to an analysis from Flashpoint.

Developed by Microsoft, the RDP protocol provides users with a graphical interface for remotely accessing another user's systems over a network connection. Machines that do the connecting employ an RDP client, while those that are accessed use an RDP server.

But when an RDP server is compromised, attackers can leverage it to gain a foothold into an organization, before pivoting to more valuable network systems. "This could potentially allow actors access to proprietary internal documents or resources, as well as entry points in which to drop various payloads," explained Flashpoint Intelligence Analyst Olivia Rowley and Director of Research Vitali Kremez, in a company blog post detailing the research.

Last month, Flashpoint found tens of thousands of brute-forced compromised RDP servers being sold on UAS for as little as $3 - $10 each, the blog post continues. Newly compromised servers, or ones with an open port 25, cost slightly more, but the price never exceeded $15.

UAS' competitive pricing makes it a formidable competitor to fellow Russian dark web marketplace xDedic, whose prices prices range from $10 to $100, the blog post notes. "Overall, Flashpoint assesses with moderate confidence that UAS's lower prices may contribute to the growing popularity of the shop among cybercriminals," state Rowley and Kremez. "Indeed, Flashpoint analysts' predicative forecasting determined that cybercriminal interest in UAS will likely continue growing."

Further analysis shows that high concentrations of UAS' infected servers reside in China (7,216), Brazil (6,143), India (3,062), Spain (1,335) and Colombia (929). U.S.-hosted servers are not entirely immune either, as Flashpoint researchers discovered roughly 300 of them on UAB. Interestingly, many of them shared the same zip codes, suggesting that bad actors may exploited the RDPs of a specific company or companies located within certain geographic areas.

For instance, the Russian marketplace was observed selling 52 compromised RDP servers each in Ashburn, Virg. and Franklin County, Ohio. And Santa Clara County, Calif., Clackamas County, Ore., and Alameda County Calif. were each discovered playing host to dozens of compromised servers.

The shop does not, however, sell any RDP servers hosted in the former Soviet nations making up the Commonwealth of Independent States (CIS). 

In addition to RDPs, UAS also sells SOCKS proxies, the report notes.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.