Flashpoint, a research security firm has uncovered that hackers have compromised over 35,000 remote desktop protocols (RDP), and are using them as a way of anonymizing cyber-attacks including direct access to victim’s network.
In an analysis published on the 24th of October, Flashpoint stated that over 35,000 servers that host remote desktops for various companies have been compromised by a group from Eastern Europe and were selling access to the private computers for as little as $15 each. Further reports named the group as Ultimate Anonymity Services (UAS), a Russian group that has a marketplace on the dark web.
The remote desktop protocol (RDP) servers that were compromised allow a hacker group to offer services which are anonymous and also access to any kind of information on the servers. The remote desktop protocol (RDP) was developed by Microsoft and aids in accessing another user’s system through a network system. An RDP client is employed by machines that do the connecting, with those accessing it using an RDP server.
It is also a common way companies offer remote desktop access.
But when attackers compromise the server, and a 2-factor authentication is not enabled, the RDP software basically becomes a remote Trojan virus and gains access to the most secured areas of the machine.
In a blog post by the company detailing the research, Flashpoint Analyst Olivia Rowley and Director of Research Vitali Kremez explained that:
“This could potentially allow actors access to proprietary internal documents or resources, as well as entry points in which to drop various payloads.”
“All sorts of data can be stolen via compromised RDPs. Cyber-extortionists have likely utilized RDPs in order to steal personally identifiable information and other sensitive data from clients of a variety of businesses,” Olivia Rowley added.
China, India, and Brazil were the three countries that accounted for the most compromised servers, with the number almost making half of the overall compromised servers. The United States also had hundreds of servers that were compromised.
“Compromised RDP servers are used both as instruments of anonymity and also oftentimes as a means of providing direct access to victim networks,” Rowley continued in the online blog. “Over the past several years, Flashpoint analysts have discovered that various hospitality, retail, and online payment services have been breached as a result of criminal syndicates utilizing fraudulently obtained RDP access.”
However, many of them had the same zip codes, which raised suspicion that the hackers exploited the remote desktop protocol (RDP) of one specific company within a certain geographic area.
Healthcare companies, educational institutions, and government agencies had the most infected servers.
Also, a researcher from IBM narrated how his home office was nearly breached as a result of this attack.
“Had I not been there to thwart the attack, who knows what would have been accomplished. Instead of discussing how I almost got hacked, I’d be talking about the serious implications of my personal data leak,” he stated.
The online blog post also said that Flashpoint uncovered tens of thousands of compromised RDP servers that were selling for as low as $3-$10 each of UAS with freshly compromised servers or ones that had an open port 25 costing a bit more. None of the prices, however, exceeded $15.
Reports also stated that UAS was new in the game and only as of February did they start selling access to compromised RDP servers. The online blog described that UAS prices undercut a fellow Russian dark web marketplace xDedic which is a major player in the business. Their prices ranged from $10-$100, an amount significantly higher than that of UAS.
“Overall, Flashpoint assesses with moderate confidence that UAS low prices may contribute to the growing popularity of the shop among cybercriminals,” Rowley and Kremez said.
“Indeed, Flashpoint analysts’ predictive forecasting determined that cybercriminal interest in UAS will likely continue growing.”
Rowley also described RDP servers as mostly being used by third-party providers, with the systems being connected to back-end retail systems. This allows an attacker access to credit and debit cards details.
“Cyber-criminals may also use RDP’s to gain access to point-of-sale (POS) terminals, thereby granting them access to financial information from recent and ongoing transactions,” she stated.
Flashpoint has however advised companies to take preventive measures to protect themselves from such attacks in the near future. Regular audits should be conducted as well as scanning their own network for the protocol and using strong passwords for any RDP server accessible from the Internet.