RDP strikes back with a vengeance

RDP strikes back with a vengeance


It’s amazing the number of sensitive machines exposed via the obvious Microsoft Remote Desktop Protocol (port: 3389 by default)- and given the carelessness with which staff tend to provision cloud computing resources for our infrastructure needs in this day in age - it remains a persistent weak-spot for everyone from the average Certified Public Accountant (CPA) (whose tax data cybercriminals will silently plunder & exploit- they have been doing so on a massive scale in recent years, in increasingly complex and organized tax-fraud schemes that underline the severity of the threat organized cybercrime poses to established businesses in the United States and abroad) to a banking institution with millions of customers whose data is often left exposed and un-protected, allowing hackers using RDP as a initial means of compromise to quickly siphon client’s social security numbers, employment history, credit ratings, Drivers License scans…and the list goes on.

So, what can an attacker gain from your average RDP?

It seems the question is more what can’t they gain from your average RDP…

image ^ An RDP for sale that is running POS software.

Based on my continuous monitoring and analysis of major marketplace xdedic.io, where RDPs (that is, the Username@Domain;Password;IP) data is sold by the thousand every day- a terrifying amount of sensitive information.

Based on a IP-based reconnaissance and profiling effort conducted on a sample set of 100 IP Addresses (with the proper account status, one can pay a mere 0.20$ to see the IP of a RDP before purchasing it- allowing smart and prepared criminals to quickly determine the value of the machine), I was shocked to discover one major banking institution (who was informed immediately), a number of government installations (a few of which looked like file servers - and upon inspection, contained citizen’s protected information (SSN, Credit History, etc..) all in an unprotected format- ready for exploitation and abuse - one CPA at a major firm in California, and more that is beyond the scope of this article.

Let me underline the fact this isn’t a “what-if” scenario- these machines are FOR SALE on an active marketplace for a bargain price between 10-40$.

It’s entirely possible a machine residing inside your corporate or business infrastructure is ready and available for purchase here, or potentially already being exploited by an attacker who recognizes the value of the machine and decides to keep it for himself (the more likely scenario).

When I sorted the machines available by price, I wasn’t shocked to find the most valuable machines (most expensive being 100$+) were clearly tagged as POS (Point of Sale) terminals. This fact is actually visible without needing to pay- as the operators of the site have taken great care to include a snippet of detected services (that is, notable programs like the obvious POS.exe) that are running.

I felt this was a particular item of interest given the new fines and penalties put forward within GDPR (as you have no doubt been informed by countless emails) - now the failure to secure your system from the initial compromise, and the subsequent data breach that follows when you fail to properly secure sensitive data on-disk, doesn’t just come with the cost of the PR disaster that follows the news your client’s information is exposed and available on the internet - but also with some enormous fines and penalties that are sure to (one would think…) prompt an immediate and comprehensive internal security audit within any organization, big or small.

RDP exposure today is an embarrassment from a security standpoint, storing data without compliance is now essentially a death sentence as per GDPR, so you may wonder: How do these attackers gain RDP access? Is it phishing/malware spread via Email or other means, internal compromise via an infected BadUSB? No, sadly the means by which criminals who sell this data is relatively simple and perhaps therein lies its efficacy. Default passwords, RDP open, sensitive data and critical infrastructure exposed…what could go wrong?