Cybercriminals have another way to use a remote server, even if they have not hacked it directly. This is buying unauthorized remote desktop accounts from black-market sites. The black market sites selling stolen remote server are not accessible using a mainstream browser, as they are in the Dark Web.
The Dark Web is a section of the World Wide Web that can only be reached by Tor, a part of the web that the search engines even the likes of Google cannot index. It is the area where questionable transactions take place, with numerous illegal activities thrive on the Dark Web.
McAfee Advanced Threat Research team recently discovered the growing market of selling RDP access. The RDP computer credentials being sold vary from the outdated Windows XP to the latest version of Windows 10. There are also RDP accounts for Windows Server 2008 and 2012 being offered at a surprisingly low price, as low as $3. McAfee’s investigations further revealed that the compromised machines are mostly located in hospital facilities. There is also one instance of an RDP login credential for an airport security automation server being sold for only $10.
Olivia Rowley, an analyst of Flashpoint cybercrime further explained why black market sales of RDP credentials have grown at an unprecedented rate: “For some cybercriminals, it may be more advantageous to use a compromised RDP as a staging ground for conducting other fraud, such as making a fraudulent purchase. Cybercriminals may also find that the compromised RDP contains sensitive files or other proprietary information, thus making the RDP a tool for conducting data breaches.”
RDP or Remote Desktop Protocol is the default protocol for remote access available with “Professional”, “Enterprise” and Server versions of Windows. Access can be granted and revoked by system administrators either through Computer Management for non-domain PC and Active Directory Users and Computers page for domain PC. RDP helps system administrators maintain multiple computers on the network, without physically taking over the machine.
System administrators must practice a reliable user account management policy, where RDP accounts of employees who left the organization are disabled in a timely manner. In a huge organization with thousands of employees, without a reliable user account management policy, revocation of former employees’ RDP accounts is overlooked, making them reliable for sale on the black market.
Firms are also advised to use a dependable password vault software in order to store all the password in an encrypted way. A password vault stores passwords using an encrypted database compliant with industry standard AES-128 or 256-bit encryption technology, hence it prevents attackers from successfully breaking in the server’s login page using brute force methods.
