- #HOW DO HACKERS GET INTO COMPUTERS THRU RDP CODE#
- #HOW DO HACKERS GET INTO COMPUTERS THRU RDP PASSWORD#
- #HOW DO HACKERS GET INTO COMPUTERS THRU RDP FREE#
- #HOW DO HACKERS GET INTO COMPUTERS THRU RDP WINDOWS#
#HOW DO HACKERS GET INTO COMPUTERS THRU RDP WINDOWS#
Systems for sale: The advertised systems ranged from Windows XP through Windows 10. However, specialized criminal groups such as SamSam are known to use RDP to easily enter their victims’ networks almost undetected. Ransomware: The large majority of ransomware is still spread by phishing emails and exploit kits. Monero mining via RDP advertised on a cybercriminal forum. We found several criminal forums actively advertising Monero mining as a use for compromised RDP machines. This information can be used for identity theft, account takeovers, credit card fraud, and extortion, etc.Ĭryptomining: In the latest McAfee Labs Threats Report, we wrote about the increase in illegal cryptocurrency mining due to the rising market value of digital currencies.
#HOW DO HACKERS GET INTO COMPUTERS THRU RDP FREE#
Some of the systems we found for sale are actively promoted for mass-mailing campaigns, and almost all the shops offer a free blacklist check, to see if the systems were flagged by SpamHaus and other antispam organizations.Īccount abuse, credential harvesting, and extortion: By accessing a system via RDP, attackers can obtain almost all data stored on a system. Spam: Just as spammers use giant botnets such as Necrus and Kelihos, RDP access is popular among a subset of spammers.
#HOW DO HACKERS GET INTO COMPUTERS THRU RDP CODE#
Attackers can plant this flag by compiling malicious code on the victim’s machine, purposely creating false debugging paths and changing compiler environment traces. While preserving anonymity, an attacker can make it appear as if his illegal activity originates from the victim’s machine, effectively planting a false flag for investigators and security researchers. Scouring the criminal underground, we found the top uses of hacked RDP machines promoted by RDP shops.įalse flags: Using RDP access to create misdirection is one of the most common applications. Once attackers gain access, they are in the system. By leveraging RDP, an attacker need not create a sophisticated phishing campaign, invest in malware obfuscation, use an exploit kit, or worry about antimalware defenses. How do cybercriminals (mis)use RDP access? RDP was designed to be an efficient way to access a network. A single compromised system can appear on more than one shop’s list. The number of compromised systems claimed to be available for sale by several RDP shops. The goal of our research was not to create a definitive list of RDP shops rather, we sought a better understanding of the general modus operandi, products offered, and potential victims. During the course of our research we noticed that the size of the bigger shops varies from day to day with about 10%. We also looked at smaller shops found through forum searches and chats. The McAfee Advanced Threat Research team looked at several RDP shops, ranging in size from 15 to more than 40,000 RDP connections for sale at Ultimate Anonymity Service (UAS), a Russian business and the largest active shop we researched. Five years later, RDP shops are even larger and easier to access.
#HOW DO HACKERS GET INTO COMPUTERS THRU RDP PASSWORD#
These tools combine password dictionaries with the vast number of credentials stolen in recent large data breaches. Attackers simply scan the Internet for systems that accept RDP connections and launch a brute-force attack with popular tools such as, Hydra, NLBrute or RDP Forcer to gain access. That short phrase encapsulates the vulnerability of RDP systems. Security maven Brian Krebs wrote the article “Really Dumb Passwords” in 2013. Cybercriminals like the SamSam group only have to spend an initial $10 dollars to get access and are charging $40K ransom for decryption, not a bad return on investment.Ī screenshot of Blackpass.bz, one of the most popular RDP-shops, largely due to the variety of services offered. Attacking a high-value network can be as easy and cheap as going underground and making a simple purchase. The recent SamSam ransomware attacks on several American institutions demonstrate how RDP access serves as an entry point. In the wrong hands, RDP can be used to devastating effect. RDP, a proprietary protocol developed by Microsoft that allows a user to access another computer through a graphical interface, is a powerful tool for systems administrators. The dark web contains RDP shops, online platforms selling remote desktop protocol (RDP) access to hacked machines, from which one can buy logins to computer systems to potentially cripple cities and bring down major companies. While researching underground hacker marketplaces, the McAfee Advanced Threat Research team has discovered that access linked to security and building automation systems of a major international airport could be bought for only US$10. Thanks to my colleague Christiaan Beek for his advice and contributions.