July 19, 2018 By David Bisson 2 min read

Cybercriminals have been selling remote desktop protocol (RDP) access to compromised machines on business networks through Dark Web marketplaces, according to July 2018 research from McAfee. Bad actors can do a lot with this access, including committing other acts of fraud and facilitating data breaches.

Given the widespread use of the protocol, organizations should implement basic security measures and password hygiene practices to protect themselves from this threat.

Dark Web Shops Offer Cheap Access to Breached Systems

While analyzing underground web marketplaces, the McAfee Advanced Threat Research team came across several “RDP shops” selling access to vulnerable systems. Some of these shops offered access to more than a dozen connections. Others, most notably the Ultimate Anonymity Service (UAS), had more than 40,000 links up for sale.

Most of these systems consisted of computers running Windows XP through Windows 10, with Windows 2008 and 2012 Server the most prevalent at 11,000 and 6,500 links, respectively. Access to those systems ranged in value from $3 to $19, with dozens of connections linked to healthcare institutions. McAfee’s most significant find was an offering that promised access to the security and building automation systems of a major international airport for just $10.

RDP Access: A Versatile Threat

Flashpoint cybercrime analyst Olivia Rowley explained that RDP access is such a hot commodity because attackers can use it to facilitate a wide variety of crimes.

“For some cybercriminals, it may be more advantageous to use a compromised RDP as a staging ground for conducting other fraud, such as making a fraudulent purchase,” Rowley said, as quoted by Dark Reading in November 2017. “Cybercriminals may also find that the compromised RDP contains sensitive files or other proprietary information, thus making the RDP a tool for conducting data breaches.”

A proprietary protocol from Microsoft, the RDP potentially leaves enterprises exposed to attackers because it allows users to control computers over a network remotely. While it’s designed to help simplify administrative tasks for businesses, attackers can abuse the protocol to remotely access computers on an internal network, including those containing sensitive information. They can then either steal that information or conduct a Samsam ransomware attack to extort payments from victims.

How Can Companies Thwart RDP Attacks?

To minimize the threat of RDP attacks, according to the McAfee report, organizations should disallow RDP connections over the open web, restrict the number of failed login attempts before an account is locked and use multifactor authentication (MFA) to make brute-force attacks more difficult.

Perhaps most importantly, security leaders should work to increase cyber awareness among employees — especially as it relates to password hygiene — through continuous training and education.

More from

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Is AI saving jobs… or taking them?

4 min read - Artificial intelligence (AI) is coming to take your cybersecurity job. Or, AI will save your job. Well, which is it? As with all things security-related, AI-related and employment-related, it's complicated. How AI creates jobs A major reason it's complicated is that AI is helping to increase the demand for cybersecurity professionals in two broad ways. First, malicious actors use AI to get past security defenses and raise the overall risk of data breaches. The bad guys can increasingly use AI-based…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today