July 19, 2018 By David Bisson 2 min read

Cybercriminals have been selling remote desktop protocol (RDP) access to compromised machines on business networks through Dark Web marketplaces, according to July 2018 research from McAfee. Bad actors can do a lot with this access, including committing other acts of fraud and facilitating data breaches.

Given the widespread use of the protocol, organizations should implement basic security measures and password hygiene practices to protect themselves from this threat.

Dark Web Shops Offer Cheap Access to Breached Systems

While analyzing underground web marketplaces, the McAfee Advanced Threat Research team came across several “RDP shops” selling access to vulnerable systems. Some of these shops offered access to more than a dozen connections. Others, most notably the Ultimate Anonymity Service (UAS), had more than 40,000 links up for sale.

Most of these systems consisted of computers running Windows XP through Windows 10, with Windows 2008 and 2012 Server the most prevalent at 11,000 and 6,500 links, respectively. Access to those systems ranged in value from $3 to $19, with dozens of connections linked to healthcare institutions. McAfee’s most significant find was an offering that promised access to the security and building automation systems of a major international airport for just $10.

RDP Access: A Versatile Threat

Flashpoint cybercrime analyst Olivia Rowley explained that RDP access is such a hot commodity because attackers can use it to facilitate a wide variety of crimes.

“For some cybercriminals, it may be more advantageous to use a compromised RDP as a staging ground for conducting other fraud, such as making a fraudulent purchase,” Rowley said, as quoted by Dark Reading in November 2017. “Cybercriminals may also find that the compromised RDP contains sensitive files or other proprietary information, thus making the RDP a tool for conducting data breaches.”

A proprietary protocol from Microsoft, the RDP potentially leaves enterprises exposed to attackers because it allows users to control computers over a network remotely. While it’s designed to help simplify administrative tasks for businesses, attackers can abuse the protocol to remotely access computers on an internal network, including those containing sensitive information. They can then either steal that information or conduct a Samsam ransomware attack to extort payments from victims.

How Can Companies Thwart RDP Attacks?

To minimize the threat of RDP attacks, according to the McAfee report, organizations should disallow RDP connections over the open web, restrict the number of failed login attempts before an account is locked and use multifactor authentication (MFA) to make brute-force attacks more difficult.

Perhaps most importantly, security leaders should work to increase cyber awareness among employees — especially as it relates to password hygiene — through continuous training and education.

More from

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Cybersecurity Awareness Month: 5 new AI skills cyber pros need

4 min read - The rapid integration of artificial intelligence (AI) across industries, including cybersecurity, has sparked a sense of urgency among professionals. As organizations increasingly adopt AI tools to bolster security defenses, cyber professionals now face a pivotal question: What new skills do I need to stay relevant?October is Cybersecurity Awareness Month, which makes it the perfect time to address this pressing issue. With AI transforming threat detection, prevention and response, what better moment to explore the essential skills professionals might require?Whether you're…

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today