RDP Ports Prove Hot Commodities on the Dark Web

Remote desktop protocol access continues to thrive in underground markets, primarily to hackers who lack expertise to find exposed ports themselves.

Security trends come and go, but the sale of Remote Desktop Protocol (RDP) ports continues to thrive on the Dark Web as malicious hackers seek easier means of gaining access to corporate networks.
RDP is a Microsoft protocol and client interface used on several platforms including Windows, where it has been a native OS feature since Windows XP. Most of the time, RDP is used for legitimate remote administration: when companies outsource IT, or remote admins have to access a colleagues machine, they most commonly use RDP to connect to it.
But the same technologies that enable administrators to access remote machines can give hackers the keys they need to break into, move around, and steal data from enterprise targets.
It really goes with the entire story of this growing crime-as-a-service market, says Ed Cabrera, chief cybersecurity officer at Trend Micro. The buying and selling of RDP credentials - like any other credentials bought and sold on the criminal underground - has evolved from one-stop shop transactional forums to a decentralized, specialized marketplace, he says. Attackers can buy RDP credentials in bulk or they can seek out data they need to target specific industries.
There are many actions a threat actor can take with RDP access (credential harvesting, account takeover, cryptocurrency mining among them) and its easier for them to launch these threats if they have access to an RDP port. Skilled attackers often find the ports themselves by scanning infrastructure exposed to the Internet and using brute force to access open ports. Automated tools and the Shodan search engine help them find systems configured for RDP access online.
Still, many threat actors of all skill levels buy RDP access on the Dark Web, where the ports are hot commodities, as are tools to delete attackers activity once their work is done.
Knockoff versions of some popular tools proliferate as well once the original developers decide to no longer support their tools, write Flashpoints Luke Rodeheffer, cybercrime intelligence analyst, and Mike Mimoso, editorial director, in a
blog post
on the topic. The tools continue to generate interest on Dark Web forums, primarily Russian-speaking marketplaces, according to Flashpoint.
How much will attackers spend on these credentials? It depends what theyre looking for. Earlier this year, researchers on the McAfee Advanced Research Team
found
RDP access for a major international airport was being sold via Russian RDP shop UAS for the low price of $10. However, actors may pay more for access to specific sectors and/or high-value targets.
Chet Wisniewski, principal research scientist in Sophos Office of the CTO, says the quantities of RDP ports available on the Dark Web have kept prices low, almost identical to what we see with stolen credit cards, he says. Same with RDP, there are tens of thousands of open RDP systems across the Internet.
So You Have RDP Credentials. Now What?
Once they have RDP credentials, an attacker can use their access to launch several attacks. Stolen usernames and passwords mark the initial attack vector in just about every cyberattack, Cabrera says, noting they help start phishing campaigns, ransomware, and data breaches. RDP access helps attackers target server infrastructure directly.
If I get access to a server, to RDP, I can just launch the Web browser thats built in and download anything and everything I want to build on that system, says Wisniewski. It doesnt take an advanced attacker to abuse RDP; as he puts it, even the dumbest criminal can do a reasonable amount of damage.
Once theyre inside, attackers typically target the passwords of admin accounts to maximize their system access. They might download and install low-level system tweaking software and use it to disable or reconfigure anti-malware software on the machine, Sophos researchers explained in a post on RDP and
ransomware
distribution. They may also turn off database services to leave files vulnerable, or upload and run their choice of ransomware.
If its handy for a system administrator, its handy for a hacker, Wisniewski adds. If you have remote control software facing the Internet, any attacker can find and abuse it.
However, advanced attackers can do more damage with the same level of access.
Hotter Targets, Higher Prices
Less skilled attackers are more likely to purchase bulk RDP access on the Dark Web, Wisniewski adds, because they lack expertise to find open ports. Skilled hackers are more likely to seek out and purchase credentials to high-value targets; for example, defense contractors.
Its not only identifying and selling in bulk, says Cabrera. I think whats happening with RDP credentials, like other services and commodities, is that the criminals today are becoming a little more sophisticated in what theyre looking for. Instead of selling credentials in bulk, they can categorize them and provide guaranteed persistence or system access.
Someone who finds 100 exposed RDP servers can instead of selling access on a forum for $10 each, figure out who they belong to, says Wisniewski. Low-value credentials sell in bulk for cheap, but high-value targets can go for markedly higher prices – up to tens of thousands of dollars. The high dollar value is limited to adversaries who want that specific access.
Oftentimes high-value targets are sold by attackers who harvested many RDP ports, conducted reconnaissance, and recognized they had something valuable but didnt want to risk exploiting it and facing criminal penalties. Rather than risk jail time, they take their findings to the Dark Web in hopes a more skilled attacker will want to buy it, he continues.
Cybercriminals are serving other criminals and becoming more sophisticated in the offerings theyre able to provide, Cabrera explains. Not every criminal enterprise is the same, and those that provide the best services and commodities will continue to grow. It is incredibly valuable for [RDP] to be sold in the criminal underground, he says.
How to Stay Safe: Get Offline
The way you know its been compromised is its on the Internet at all, says Wisniewski. Under no circumstances should RDP ports be exposed online, and they should always go through a VPN and be protected with
multi-factor authentication
.
Thats table stakes for 2018, he continues. If its on the Internet, someones going to make money with it.
He advises companies to lock down their servers so they have fewer capabilities if and when they are compromised. Make sure any system that is exposed, or available via VPN, is locked down so it cant access critical systems. Most organizations are smart enough to be scanning their own network interfaces to ensure theyre offline, he says.
Breaching networks and servers via RDP ports remains of great interest to cybercriminals, according to Flashpoint, and there is a clear trend toward automating the process of detecting exposed RDP targets and brute-forcing access. The company recommends using complex passwords for RDP instances and avoiding relying on default or weak credentials.
Flashpoint assesses with high confidence that cybercriminals will likely continue to use such automated technology to obtain illicit RDP access, breach servers, and remove traces of their activity, Flashpoints blog says. Flashpoint predicts with moderate confidence that the potential for RDP access tools in cryptomining will drive their popularity among criminals.
Related Content:
The 7 Habits of Highly Effective Security Teams
7 Ways Blockchain is Being Used for Security
2 Billion Bluetooth Devices Remain Exposed to Airborne Attack Vulnerabilities
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
RDP Ports Prove Hot Commodities on the Dark Web