In-brief: An analysis of 85,000 hacked Remote Desktop Protocol servers from the cyber criminal marketplace xDedic shows that education and healthcare networks were the most often targeted by hackers, who often used brute force password guessing to gain access.
Hackers are targeting vulnerable remote desktop protocol (RDP) deployments to gain access to healthcare, education and government networks, among other targets. That, according to research released by the firm Flashpoint, which studied a set of 85,000 hacked RDP servers obtained from xDedic, a cyber criminal marketplace.
Education networks represented the majority of the systems Flashpoint studied, with health networks the second most common target in the set of 85,000 compromised servers in the xDedic data. Hackers use criminal botnets to break into RDP servers using “brute force” password guessing attacks, Flashpoint said. Once they have access, attackers can control the system on which the RDP server is installed, attacking other systems on the same network to steal data or launching external attacks, the company said. Government and aviation networks were also among those in the dataset. The targeted systems were mostly located in the United States, Germany, and Ukraine, Flashpoint reported.
The data from xDedic, a “Dark Web” marketplace that specializes in sales of compromised RDP servers, offers a unique insight into cyber criminal trade in such servers. Remote Desktop Protocol is a Microsoft-developed technology that allows individuals to remotely control computers: interacting with and controlling graphical interfaces over the Internet. Though developed for Windows, RDP clients exist for most modern operating systems including Linux, Unix, OS X, iOS, and Android. The technology has been embraced by IT and support professionals, who use it to remotely administer systems or troubleshoot problems.
But RDP deployments often fall short on security. Weak user name and password protections are the most common problem, Flashpoint said. Short, weak passwords make it possible for cyber criminals in control of botnets to quickly test out thousands or tens of thousands of possible combinations until they guess the correct one. According to the firm, xDedic cyber criminals typically begin their effort by launching large-scale scan and brute force attacks to collect as much information as possible before sorting the potential value of each individual target.
Exploitable vulnerabilities and other configuration errors also leave RDP deployments susceptible to compromise, Flashpoint said. And, once attackers have access to an RDP host, they can pivot to reconnoitering the network it is on and attacking other, high value assets.
Flashpoint said it has observed conversations on hacking forums like xDedic in which criminals ask for advice about how to configure their compromised RDPs to disguise their presence and ensure that illicit activities remain undetected, suggesting that RDP compromises may be the first stage of long-term “persistent” cyber attacks.
Read the full report here: Flashpoint – “xDedic” Dataset Suggest Government, Corporate RDP Targets