Stolen credentials for corporate remote access servers are being sold by Dark Web vendors for as little as £2.28 apiece.
Using credentials purchased from the Dark Web, hackers are now able to spy on and steal sensitive data from enterprises' remote access servers.
The stolen credentials have been put up for sale on Ultimate Anonymity Services, a Dark Web marketplace where hackers and cyber criminals can shop for such credentials to gain the ability to spy on and steal sensitive data from corporate servers.
According to security firm Flashpoint, Ultimate Anonymity Services has been active since February of last year and is now offering as many as 35,000 brute forced RDPs for sale. These credentials belong to enterprises from all over the world except those that belong to the Commonwealth of Independent States. These countries include former Soviet Republics like Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.
The largest number of stolen credentials for remote access servers come from China (7,216), followed by Brazil (6,143), India (3,062), Spain (1,335) and Colombia (929). Flashpoint believes that the largest number of credentials were stolen from these countries 'due to lax cybersecurity hygiene involving remote connection monitoring.'
The firm added that UAS is selling credentials belonging to enterprises in the European Union for between $5 and $9 apiece, depending upon the operating system used by such enterprises.
How are enterprises affected?
Flashpoint states that by utilising fraudulently obtained RDP access, hackers have been successful in breaching several hospitality, retail, and online payment services. Compromised RPD servers not only provide direct access to victim networks but can also be used as instruments of anonymity.
'As RDPs are set up for remote access to an office’s resources, they provide an initial vector into the target organization. By elevating privileges, threat actors can pivot from the environment to which the RDP server provided access to other, more target-rich environments.
'This could potentially allow actors access to proprietary internal documents or resources, as well as entry points in which to drop various payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals, said researchers Olivia Rowley and Vitali Kremez.
To prevent their data from unauthorised access, opganisations must conduct audits and reviews of any externally accessible RDP connections to their networks. At the same time, they should secure their RDPs with strong and complex passwords
Tyler Reguly, manager of security research and development at Tripwire, says that organisations should be able to justify the business need of having their remote access software accessible via the Internet. Remote access software are juicy targets for hackers as they offer a gateway to loads of data.
As such, organisations should always enable VPN access instead of public-facing remote access software and should always use two-factor authentication. The latter ensures that weak or leaked passwords will not lead to organizational compromise.
'When parents head out for the evening, they don’t leave their child home alone and say, “Well, we locked the door, they’ll be fine.” They hire a babysitter, leave contact details and emergency numbers, and then, as they’re leaving, they lock the door. Think of 2FA [two factor authentication] as your babysitter, ensuring that the door remains locked and everything stays safe,' he adds.