1.3 million Windows RDP servers’ login data collected from hacker market

UAS, the largest hacker marketplace for stolen RDP credentials, have leaked the log-in names and passwords of over 1.3 million and historically compromised Windows Remote Desktop servers.

Because of that massive leakage, the security researchers get a glimpse on the cybercrime economy and can use these data to tie up loose ends in previous cyber-attacks.

Cyber-security firm Advanced Intel called RDPwned launched a new service that benefited the Network administrators as they will now verify if their RDP credentials have been sold on the market.

Why the RDPs are important?

RDP or Remote Desktop Protocol is Microsoft’s remote access solution allows users to access app and the desktop of a Window device remotely.

Because of its frequent use, crooks aimed to build a thriving economy around by selling the stolen credentials for RDP servers. They sell the remote desktop accounts for $3 and typically not more than $70, beyond the expectation that the accessing to a corporate network is expensive.

They access to the network and perform a variety of malicious actions. Such actions include spreading further throughout the network, stealing the data, installing Pos malware to harvest credit card, installing backdoors and deploy ransomware.

UAS the biggest marketplace for RDP credentials

UAS or Ultimate Anonymity Services sells Windows Remote Desktop login credentials, stolen Security Numbers and access to SOCKS proxy servers.

It stands out the largest marketplace because it performs manual verification of sold RDP account credentials, offers customer support and provides tips to retain remote access to compromised system.

A security researcher says, “The market functions partially like eBay – a number of Suppliers work with the market. They have a separate place to log in and upload the RDPs they hacked. The system will then verify them, collect information about each one (os, admin access? internet speed, cpu, memory etc etc), which is added to the listing.”

“The supplier interface provides real time stats for the suppliers (what sold, what didn’t, what was sold but a refund was asked for, etc).”

“They also provide support if for some reason what you bought doesn’t work. They do take customer support seriously.”

Threat actors purchase the stolen RDP accounts and search for the compromised devices in particular country, state, city, zip code, ISP, or operating system. This allows them to find specific server they need.

Monitoring UAS marketplace in secret

A group of security researchers are had secret access to the database of UAS marketplace since 2018. They have quietly collected the sold RDP credentials for three years. They collected IP addresses, usernames, and passwords for over 1,379 and 609 accounts during the period. These data have been shared with Advanced Intel’s Vitali kremez.

The RDP servers are from all over the word. These include the government agencies of over sixty-three countries, including Brazil, India and United States. These also include the high-profile companies, with many servers from healthcare industry.

Upon analyzing these 13 million accounts in the database, the interesting thing that can be pulled out are:

  • The sold RDP servers include the top five log-in names as ‘Administrator’, ‘Admin’, ‘User’, ‘test’, and ‘scanner’. With the top five passwords are ‘123456’, ‘123’, ‘P@ssw0rd’, ‘1234’, and ‘Password1’.
  • Top five represented countries in the databases are United States, China, Brazil, Germany, India, and the United Kingdom.

Check if your RDP is compromised

RDPwned, a service launched by Vitali Kremez to help companies and admin to check if their servers are in the list of the database.

Kremez said, “The marketplace is tied to a number of high-profile breaches and ransomware cases across the globe. A number of ransomware groups are known to purchase initial access on UAS. This treasure trove of adversary-space data provides a lens into the cybercrime ecosystem, and confirm that low hanging fruit, such as poor passwords, and internet-exposed RDP remain one of the leading causes of breaches,”

“RDPwned will also help illuminate old breaches for which they never figured out initial access. For others, it will give them a chance to resolve the security problem before it becomes a breach.”

To use this service, as per kremez, the company requires submitting contact information from an executive or admin of the company that Advanced Intel will vet. Advanced Intel will confirm if the company’s server is listed in RDPwned, once the user’s identity is verified.