Black markets on the Dark web are not known for just buying drugs, it is a massive hidden network where you can buy pretty much anything you can imagine—from pornography, weapon, and counterfeit currencies, to hacking tools, exploits, malware, and zero-days.
One such type of underground marketplace on Dark Web is RDP Shop, a platform from where anyone can buy RDP access (remote desktop protocol) to thousands of hacked machines for a small fee.
While investigating several underground RDP shops, security researchers from the McAfee’s Advanced Threat Research team discovered that someone is selling remote access linked to security systems at a major International airport for as low as $10.
Yes, that’s $10, I didn’t miss any zeros.
Instead of buying RDP credential, researchers used the Shodan search engine to find the correct IP address of the hacked Windows Server machine, whose administrator account was up for sale, as shown in the screenshot.
When researchers landed on its login screen through Windows RDP, they found two more user accounts, which were “associated with two companies specializing in airport security; one in security and building automation, the other in camera surveillance and video analytics.”
“We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz,” the researchers write.
“We performed the same kind of search on the other login account and found the domain is most likely associated with the airport’s automated transit system, the passenger transport system that connects terminals.”
According to the researchers, black market sellers usually gain access to RDP credentials by merely scanning the Internet for systems that accept RDP connections, and then launch brute-force attack with popular tools like Hydra, NLBrute or RDP Forcer to gain access.
And once the attackers successfully log into the remote computer, they don’t do anything except putting the connection details up for sale on the Dark Web.
Anyone who buys access to such machines can move laterally within the network, create backdoors, alter settings, install malware and steal data.
As a solution, organizations should consider taking necessary RDP security measures, such as:
- disabling access to RDP connections over the open Internet,
- using complex passwords and two-factor authentication to make brute-force RDP attacks harder to succeed,
- locking out users and blocking IPs that have too many failed login attempts.