New reports have indicated that cybercriminals on the dark web are selling remote access to corporate desktop computers at the bargain basement price of only US$3, allowing criminals to spy on business without the need for malware. To provide employees access to the corporate network away from the office, some companies implement such remote access services using unsecured Remote Desktop Protocol (RDP) and by doing so, opened a gaping hole in their network defenses. If the latest reports are true, it is a very worrying development that should be of extreme concern to cyber security professionals.
Combine rock bottom prices on the dark web and no requirement for any special is skills in either the management or coding required to take advantage of the latest trends in malware and the result is a foregone conclusion. Even those who to date have not been actively involved in illegally stealing data from businesses are going to be tempted to get into what is after all a potentially lucrative if highly illegal activity.
Remote access a boon for cyber criminals
The sale of remote access credentials is allowing hackers to steal vital information from corporate organizations in a number of sectors such as retail, healthcare, government and education amongst others.
Tyler Reguly, a manager of Tripwire’s Vulnerability and Exposure Research Team, highlighted that such remote access “can often give you the keys to the Kingdom.”
Reguly noted that: “Any remote access service should be considered a risk, but those giving access to a corporate network should be handled with extra care. Attackers are constantly working to gain access to new systems to use to mask their identity, to gather data, or just to spread their tools across more hosts.”
Security experts warn that weak RDP credentials are in wide circulation on darknet marketplaces and are used increasingly by ransomware attackers. Such “trusted” access into the corporate network allows cyber criminals to plant ransomware into company servers, which may then be downloaded on user PCs when files are accessed.
Cheap buys on the dark web
Cyberattacks against RDP server and credentials have been around for several years. Attackers now use botnets to automatically search out internet-connected devices with exposed RDP ports and they hammer them with brute-force username and password guesses until their attack tools find a match. Many RDP credential harvesters will then sell this access to others.
Ultimate Anonymity Services (UAS), the Russian dark web marketplace, was found to be selling more than 35,000 compromised RDP servers. This includes hundreds of RDP credentials for destinations throughout the United States, primarily focused on Ohio, Virginia and California.
Costs of compromised RDPs on UAS typically range between US$3 and US$9, depending on operating system and location, but factors related to open ports and how lately the authorizations were pilfered can upsurge the price, but only up to US$15.
Problem with unsecured remote access
The remote nature of the connection means that hackers can anonymously monitor the compromised network, provide access to documents and other files, and offering systems on which to install malware.
Flashpoint, says in a blog post, “In addition to being able to launch external attacks and move laterally within networks, attackers are then able to plant malicious software, exfiltrate data and/or manipulate network settings.”
Attackers have used RDP to spread numerous strains of crypto-locking ransomware, including CRYSIS and Bitpaymer.
Ditch RDP and secure your remote access
The recent service does not seem very powerful, but some consider it an enormously clever scam. This is an innovative idea, say cybersecurity experts who oversee activities of cyberspace black markets – dark web, dark net, deep web.
To illustrate, Reguly shared, “Looking at one of my personal servers, I’m seeing 2,252 access attempts in a 24-hour window. This is just a random IP on the Internet. Imagine how much more interesting a corporate environment would be.”
In order to protect themselves against RDP exploitation, organizations must periodically review their systems and security, and implement strong remote access solutions to prevent malicious attacks from accessing business environments.
The first question companies need to ask themselves is whether such remote access is needed in the first place, and if so can Virtual Private Network (VPN) connections be implemented. Reguly warned, “Any business should look critically at their infrastructure and determine if they truly require internet facing remote access services. The first step for this type of access should always be a VPN, any sort of terminal or console access should only be considered if the possibility of a VPN is unavailable.”
Organizations must also wake up to the fact that relying on passwords will no longer cut it in today’s heightened cyber threat environment. Two-factor authentication (2FA) must be seriously considered to protect such remote access. As Reguly puts it, “When parents head out for the evening, they don’t leave their child home alone and say, ‘Well, we locked the door, they’ll be fine.’ They hire a babysitter, leave contact details and emergency numbers, and then, as they’re leaving, they lock the door. Think of 2FA as your babysitter, ensuring that the door remains locked and everything stays safe.”
Organizations that fail to follow this guidance may find their RDP server credentials for cheap sale on the dark web.