on

RDPalooza: RDPs in the World of Cybercrime

 

Key Points 

  • Remote Desktop Protocol (RDP) is a built-in part of the Windows toolkit popular for facilitating remote work. Cybercriminals take interest in compromising RDP endpoints as they provide direct access into a victim environment via a graphic interface.  
  • Internet-facing RDP endpoints – colloquially known among cybercriminals simply as “RDPs” – are typically easy to identify, trivial to compromise, and can be used in a wide variety of cybercriminal schemes.  
  • Free or cheap tools created to illicitly gain access to internet-facing RDPs – typically through checking commonly-used username and password combos – abound, as well as shared lists of commonly used credentials or default passwords. This significantly lowers the barrier to entry into the world of RDP compromise.  
  • Compromised RDPs can be found for sale on massive underground shops dedicated solely to the exchange of RDPs as well as on cybercriminals forums and marketplaces.  
  • Common threats and attacks perpetrated thanks to RDP compromise include online payment card fraud, the cashout of stolen bank accounts, and ransomware deplyoment in corporate environments.
  • Ransomware gangs such as those behind Ryuk, Cl0p, and Sodinokibi, have all been found to use RDPs to get an initial foothold into victim environments.

 

ABCs of RDPs 

As COVID-19 has pushed much of the international workforce to working from home, remote access tools have become increasingly prevalent as workers seek ways to connect to remote workstations, servers, and other endpoints. While a variety of tools and application-level protocols are used to achieve this, one of most popular is the Remote Desktop Protocol, or RDP.  

RDP is a built-in part of the Windows toolkit that allows users to establish sessions with remote devices using a graphical user interface (GUI). The uses of such technology are abundant and varied: while COVID-19 has undoubtedly ushered in a tremendous amount of RDP connections related to remote work, RDP enjoys other uses such as allowing small businesses to easily outsource their IT projects.  

When compromised, these RDP servers – known colloquially among cybercriminals simply as “RDPs” – offer tantalizing possibilities to malicious threat actors. This direct connection into an environment makes cybercriminal mouths water, especially when such a connection might present an open door into a corporate environment. The past few years have seen an intense and sustained cybercriminal interest in compromising poorly secured, internet-facing RDPs in order to conduct all manner of malicious activity.  Ransomware gangs in particular have notoriously seized on the opportunities presented by these poorly secured connections; ransomware gangs such as those behind Ryuk, Cl0p, and Sodinokibi, have all been found to use RDPs to get an initial foothold into victim environments.

This trend has continued, if not accelerated, in COVID-19 times. In April 2020, researchers at Kaspersky noted that they were observing record numbers of RDP bruteforcing attacks. To complement this RDP bruteforcing ecosystem are the myriad of RDP shops – functioning in a similar manner to card shops or credentials shops – that have popped up on the cybercriminal underground to facilitate the trade in compromised RDPs. Adding fuel to the fire, the cybercriminal underground is teeming with conversations about the various ways to abuse and monetize these compromised assets, both for conducting fraud as well as distributing malware.  

 

RDP Devotees: Cybercriminal Interest in RDPs 

Why do RDPs appeal to cybercriminals?  

There are millions of internet-facing RDPs located across the globe and used by professionals across industries. This abundance of RDPs translates into an abundance of potential targets for cybercriminals. As we’ll dive into later in this blog, these RDPs can be easily identified using free or cheap scanning tools or even discovered using publicly available research datasets such as Shodan. This means that not only are there millions of potential targets, but that these targets are relatively easy to identify.  

Image 1: Shodan results from mid-November 2020 show over three million internet-facing RDP connections. 

From a security perspective, internet-facing RDPs are typically regarded as less-than-ideal. Despite that, millions exist, perhaps due to lack of knowledge, poor implementation, or some other factor. As a result, Blueliv analysts identified internet-facing RDPs spanning sectors including healthcare, government, legal, research, infrastructure, law enforcement, academia, insurance, and more.

Image 2: Internet-facing RDP uncovered on Shodan belonging to a US-based law firm. 

The icing on the cake for cybercriminals is that not only are these RDPs numerous and easy to find, but many of them are poorly secured and relatively simple to compromise. Countless blog posts by security researchers have shed light on the rampant use of easy-to-guess passwords for RDP logins. Upsettingly but unsurprisingly, such research can be found dating back almost a decade 

 

MITRE ATT&CK
TA0007: Discovery
T1046: Network Service Scanning

RDP Compromise Step 1: Identify 

MITRE ATT&CK
TA0007: Discovery
T1046: Network Service Scanning

Both small-time fraudsters and well-organized cybergangs may attempt to gain access to RDPs in order to fuel their various operations. For threat actors seeking to compromise RDP endpoints, the first step is typically to identify internet-facing RDPs. Various tools exist to identify such targets, ranging from legitimate port scanning tools used by penetrations testers such as nmap, to shadier port scanners shared within the cybercriminal community. These scanners report back to the cybercriminal which IPs have an open port 3389, the default RDP port.  

Image 3: Details from Blueliv’s Threat Context showing threat actors who have used the “Network Service Scanning” ATT&CK technique in their activities. 

 

MITRE ATT&CK
TA0006: Credential Access
T1110: Brute Force

MITRE ATT&CK
TA0001: Initial Access
T1133: External Remote Services

RDP Compromise Step 2: Gain Access 

MITRE ATT&CK
TA0006: Credential Access
T1110: Brute Force

MITRE ATT&CK
TA0001: Initial Access
T1133: External Remote Services

After a cybercriminal identifies internet-facing RDP servers, they will often attempt to gain access via bruteforcing, password spraying, or other similar techniques. For years, researchers have sounded the alarm over the use of weak credentials to secure RDPs. Cybercriminals (and pen testers) have capitalized on this lax security, and lists of commonly used RDP credentials are openly shared. Here is a sample taken from one such list of common RDP passwords, found on GitHub 

  • 123456 
  • 12345 
  • 123456789 
  • password 
  • iloveyou 
  • princess 
  • 1234567 
  • rockyou 
  • 12345678 
  • abc123 
  • nicole 

In addition to checking well-known login information (a technique known as dictionary attack), cybercriminals may also turn to bruteforcing as a means of obtaining access to an RDP. According to research conducted by Microsoft in December 2019, RDP bruteforcing attacks typically last about 2-3 days; 5% of attacks, however, last longer than 2 weeks. Such sustained efforts demonstrate an enduring and determined cybercriminal interest in gaining access to RDPs.  

Such attempts are facilitated by the ease at which such tasks may be automated. Various bruteforcers and other account cracking software can be employed to illicitly gain access RDPs. In the course of this investigation, Blueliv analysts saw references to dozens of different account cracking tools such as NLBrute, RDP Forcer, and Medusa. Many of these tools don’t require any type of special access to find and download, nor specialized skillsets to operate. In fact, YouTube videos abound describing how these tools work and in some cases even offering free downloads of the tool.  

Image 4: A YouTube video demonstrates how to gain access to RDPs using KPortScan and NLBrute. 

 

MITRE ATT&CK
TA0001: Initial Access
T1190: Exploit Public-Facing Application

RDP Compromise: Exploitation 

MITRE ATT&CK
TA0001: Initial Access
T1190: Exploit Public-Facing Application

The potential also exists for cybercriminals to take advantage of vulnerable RDPs to gain access. Concern over this situation was on full display in summer 2019 after the disclosure of CVE-2019-0708, better known as BlueKeep. According to the MITRE CVE database, BlueKeep is described as the following:  

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability.

 

The fact that BlueKeep is a wormable remote code execution (RCE) vulnerability immediately drew concern. This was coupled with reporting that suggested nearly one million devices were vulnerable to BlueKeep. As of yet, BlueKeep has not seen the mass exploitation that was feared early on, but the potential for such an event remains. At the very least, BlueKeep draws attention to the potential for threat actors to use other tools besides account crackers in order to gain access to RDP endpoints.  

Image 5: Results for BlueKeep in Blueliv’s ThreatContext module, which includes useful information about CVEs. 

 

RDPs, Please: Sale of RDPs on the Cybercriminal Underground  

While many threat actors choose to compromise RDPs for use in their own illicit schemes, others will often turn around and sell such compromised assets to other threat actors on the cybercriminal underground. There are various venues facilitating this trade.  

Standalone RDP shops exist, as well as shops that sell RDPs alongside other illicit goods such as email spamming tools. RDPs can also be found for sale on darknet marketplaces and numerous underground forums. In the course of this research, Blueliv analysts investigated cybercriminal conversations involving RDPs taking place in English-, French-, Spanish-, Portuguese-, and Russian-language underground communities. Strikingly, RDPs were discussed and observed for sale in all such linguistic communities.  

 

Dedicated RDP Shops 

Just as there exist card shops dedicated to the sale of compromised payment cards and account shops to sell compromised credentials, so too exist RDP shops to sell RDPs.  

One of the most prolific RDP shops was xDedic. The shop takes its name from the Russian slang for “dedicated servers” (“дедик”) and was remarkable for its extensive inventory. xDedic offered tens of thousands of compromised RDPs for sale from around the world. Well-known and highly regarded on the cybercriminal underground, the shop was seized by law enforcement in January 2019. In the accompanying press release by the US Department of Justice, the government estimated that xDedic “facilitated more than $68 million in fraud,” an incredible number that highlights the lucrative role that RDPs and RDP shops play in the cybercriminal underground.  

Even before the takedown of xDedic, the shop was dwarfed by another prominent underground RDP shop called UAS. UAS – standing for “Ultimate Anonymity Services” – is the biggest known RDP shop, with an inventory of over 43,000 RDPs in scores of countries.

 Image 6: Stills from a graphic banner advertising UAS. 

The UAS site is available in both English and Russian and accepts payment in the cryptocurrencies Bitcoin and Litecoin. Much like card shops and credential shops, UAS provides potential clients with a multitude of filters and pertinent information to sort through when deciding to purchase a compromised RDP server. Filters include fields such as country, state, and operating system, among others.

The site also provides fairly in-depth information about each individual RDP. For example, UAS lists whether the browser history shows visits to sites that are potentially valuable to cybercriminals, such as sites related to dating, online gambling, email, money exchange, and retail.

 

Image 7: A UAS listing for an Ohio-based RDP server shows that the victim has previously visited the dating site Zoosk as well as Gmail.  

Another prominent RDP shop is dubbed WannaBuy and is aimed at suiting the needs of bulk purchasers. The shop markets themselves as the new xDedic, and appears to have come online in February 2019, shortly after the law enforcement-led shuttering of xDedic. Like many RDP shops, WannaBuy is available in both English and Russian, but unlike other shops they offer RDPs belonging to victims in countries located in the Commonwealth of Independent States (CIS).  

Image 8: The WannaBuy RDP shop offers RDP from around the world. 

While WannaBuy and UAS are two of the most prominent shops, numerous other RDP shops exist as well. These shops may cater to cybercriminals interested in specific types of cybercrime – for example, spamming – or offer compromised RDPs from a specific country or region. Many shops that specialize in the sale of other illicit goods have expanded their offerings to include RDPs as well; for instance, the notorious credential shop BlackPass also offers compromised RDPs for sale. 

 

Individual Vendors 

In addition to the massive standalone RDP shops detailed above, RDPs are also swapped on darknet marketplaces and underground forums. Whereas RDP shops primarily cater towards Russian- and English-speaking clients, such peer-to-peer sales of RDPs can be found across various linguistic communities. This global interest in RDPs is noteworthy, as cybercriminal interest in certain schemes, tools, and malware tend to vary from region to region. RDP is one of the tools that span these linguistic divides.  

These individual vendors of RDPs run the gamut in terms of the professionalization of their enterprises. Many of the vendors active on darknet marketplaces have detailed advertisements and several RDP offerings, and vendors on English-language forums such as HackForums – where many of the RDP offerings are geared towards cryptojacking operations – typically include slick graphics in their advertisements. On the other hand, cybercriminals on the Latin American underground typically attempt to attract customers with simple posts stating what they have for sale. 

Image 9: A US-based RDP available for sale on White House Market. 

Image 10: A vendor on a Spanish-language underground forum advertises RDPs.

Blueliv analysts observed RDPs for sale on various forums and underground marketplaces. The price of a compromised RDP appeared to be based on several factors such as whether malicious software came pre-installed on the machine and where in the world the RDP is located. RDPs located in North America and Western Europe typically cost more than their counterparts elsewhere. 

 

Conclusion 

Cybercriminals are attracted to RDPs as they are multitudinous, relatively easy to compromise, and can be weaponized in a variety of cybercriminal schemes. Common threats and attacks perpetrated thanks to RDP compromise include online payment card fraud, the cashout of stolen bank accounts, and ransomware deplyoment in corporate environments, among other illicit uses. Tools to facilitate RDP compromise can be found with ease and without requiring advanced knowledge of technical concepts. As a result, compromised RDPs exist in abundance on the cybercriminal underground, offered for sale across linguistic communities and even spawning their own specialized shops where threat actors may filter and browse through thousands of offerings in order to find something that fits their particular needs.  

If you are now looking for some RDPeace of mind, here are some considerations for security teams:

  • Question whether RDP is necessary for your teams to operate.
  • If RDP is assessed to be necessary, ensure that the RDP is not internet-facing but rather is behind a VPN service, for instance.
  • One of the pieces of advice that will be in infosec until the end of time: use strong passwords! Do not use default credentials, passwords that are the same as the username, or other passwords that are simple to guess or bruteforce.
  • Use two factor authentication whenever possible.
  • Patch your systems!

Perhaps now more than ever, we must be vigilant and take seriously the security of tools that facilitate remote work. With the doors to our offices temporarily closed, it is important to ensure that we are not leaving the virtual doors open.  

 

This blog post was authored by Liv Rowley and supported by the Blueliv Labs team. 

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP
Program