Hackers can access your PC for only $ 3
● RDP allows one to access another computer through a graphical interface. ● Using the RDP access to create misdirection is one of the most common applications. ● A majority of ransomware is spread by phishing emails.
While researching underground hacker marketplaces, the McAfee Research team has discovered things that access linked to security and building automation systems of a major international airport could be bought for only US$ 10.
John Fokker believes that the dark web contains RDP shops, online platforms selling remote desktop protocol ( RDP) access to hacked machines, from which one can buy logins to computer systems to potentially cripple cities and bring down major companies.
RDP, a proprietary protocol developed by Microsoft that allows a user to access another computer through a graphical interface, is a powerful tool for systems administrators. In the wrong hands, RDP can be used to devastating effect. Attacking a high- value network can be as easy and cheap as going underground and making a simple purchase. Cybercriminals only have to spend an initial $ 10 dollars to get access and are charging $ 40K ransom for decryption, not a bad return on investment.
RDP SHOPS:
Attackers simply scan the Internet for systems that accept RDP connections and launch a brute- force attack with popular tools such as, Hydra, NLB rute or RDP Forcer to gain access. These tools combine password dictionaries with the vast number of credentials stolen in recent large data breaches. Five years later, RDP shops are even larger and easier to access.
The Threat Research team looked at several RDP shops, ranging in size from 15 to more than 40,000 RDP connections for sale at Ultimate Anonymity Service ( UAS), a Russian business and the largest active shop they researched. They also looked at smaller shops found through forum searches and chats and noticed that the size of the bigger shops varies from day to day with about 10 per cent.
CYBERCRIMINAL ACCESS:
RDP is an efficient way to access a network; but leveraging it, an attacker need not create a sophisticated phishing campaign, invest in malware obfuscation, use an exploit kit, or worry about any kind of antimalware defences.
FALSE FLAGS:
Using RDP access to create misdirection is one of the most common applications. While preserving anonymity, an attacker can make it appear as if his illegal activity originates from the victim’s machine, effectively planting a false flag for investigators and security researchers.
SPAM:
Just as spammers use giant botnets such as Necrus and Kelihos, RDP access is popular among a subset of spammers. Some of the systems found for sale are actively promoted for mass- mailing campaigns, and almost all the shops offer a free blacklist check, to see if the systems were flagged by Spam Haus and other antispam organisations.
Account abuse, credential harvesting, and extortion: By accessing a system via RDP, attackers can obtain almost all data stored on a system. This information can be used for identity theft, account takeovers, credit card fraud, and extortion, etc.
CRYPTOMINING:
It was found that several criminal forums actively advertising Monero mining as a use for compromised RDP machines. Monero mining via RDP advertised on a cybercriminal forum.
RANSOMWARE:
The large majority of ransomware is still spread by phishing emails and exploit kits. However, specialised criminal groups such as SamSam are known to use RDP to easily enter their victims’ networks almost undetected.
RDP SHOP OVERVIEW
Systems for sale: The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around $ 3 for a simple configuration to $ 19 for a high- bandwidth system that offered access with administrator rights. Third- party resellers: When comparing stock among several RDP shops, they found that the same RDP machines were sold at different shops, indicating that these shops act as resellers.
Windows Embedded Standard: Now called Windows IOT, it is used in a wide variety of systems that require a small footprint. These systems can range from thin clients to hotel kiosk systems, announcement boards, point- of- sale ( POS) systems, and even parking meters among others.
Basic measures:
■ Use complex passwords, two- factor authentication.
■ Shut RDP connections over open Internet.
■ Lockout users, block or timeout IPs with failed login attempts.
■ Regularly check event logs.
■ Consider account- naming convention to limit information.
■ Enumerate all systems on the network and list how they are connected and through which protocols. This also applies to the IoT and POS systems.