Stolen or brute-forced remote desktop protocol (RDP) credentials have played a central role in many data breaches over the years and cybercriminals have made a business out of selling them on the underground market. For as little as $3, hackers can buy remote access into sensitive systems belonging to businesses, municipalities and even airports.
A recent investigation by researchers from antivirus firm McAfee found multiple dark market shops selling hacked RDP connections to systems, from as few as 15 to as many as 40,000. The prices ranged from $3 per connection to $19, depending on the hardware configuration and available bandwidth of the targeted systems.
“In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops,” the McAfee researchers said in a report. “The second-largest RDP shop we researched, BlackPass, offered the widest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts.”
The RDP protocol offers an easy way to remotely administer computers and embedded systems running Windows. Among the RDP connections offered for sale, researchers have spotted point-of-sale terminals, thin clients and servers.
The systems belonged to governments, municipalities, housing associations, healthcare institutions, nursing homes, suppliers of medical equipment and a variety of other companies.
While investigating a listing posted in April that offered access to a machine running Windows Server 2008 R2 Standard for $10, the McAfee researchers discovered that the compromised system belonged to a major U.S. airport.
“There are three user accounts available on this system, one of which is the administrator account,” the researchers said. “The names of the other accounts seemed unimportant at first but after performing several open-source searches we found that the accounts were associated with two companies specializing in airport security; one in security and building automation, the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz.”
Using the Shodan search engine, the researchers found another system on the same network that was exposed to the internet and was configured for remote RDP access. Based on the specific domain name it was in, that system was likely part of the airport’s automated transit system, which is used to transport passengers between terminals.
Hackers can abuse RDP access for in a variety of ways. They can use the targeted systems as proxies to hide the source of other attacks, they can use them to mine cryptocurrency, spread ransomware to systems inside local networks, send spam, harvest credentials for lateral movement and steal sensitive data, including payment card information if the compromised systems are PoS terminals.
Companies should make sure that sensitive systems are not exposed directly to the internet in general. If remote management via RDP is needed, this could be augmented with a VPN, and the access credentials should be complex and unique so they can’t be brute-forced.
Official Ammyy Admin Installer Tainted with Malware
The official download website for the free Ammyy Admin remote administration tool was compromised and was used to distribute a modified version of the application containing malware.
According to a new report from ESET, the compromise appears to have happened around June 13 and 14, with attackers bundling a multipurpose Trojan called Kasidet inside the Ammyy installer. The Kasidet malware is used by multiple cybercriminal groups and is designed to steal passwords and cryptocurrency wallets, among other things.
What’s interesting is that this is not the first time when the Ammyy Admin website has been compromised. For a period of time in 2015, attackers used the website to serve various malware programs, rotating them almost on a daily basis.
Ammyy Admin is a legitimate remote administration tool that is particularly popular in Russian-speaking countries. However, because cybercriminals also frequently deploy it on compromised computers for remote access, several antivirus products detect it as a potentially unwanted application.
This is the latest incident in a growing string of software supply-chain attacks over the past two years where hackers compromised the official download sites or build infrastructure of popular applications and used them to deliver versions rigged with malware.