These hackers sell network logins to the highest bidder. And ransomware gangs are buying
Stealing and selling RDP credentials has risen over the last year - and cyber criminal middlemen are making a profit by putting businesses at risk from ransomware and other attacks.
A growing class of cyber criminal is playing an important role on underground marketplaces by breaching corporate networks and selling access to the highest bidder to exploit however they please.
The buying and selling of stolen login credentials and other forms of remote access to networks has long been a part of the dark web ecosystem, but according to analysis by cybersecurity researchers at Digital Shadows, there's been a notable increase in listings by 'Initial Access Brokers' over the course of the last year.
These brokers work to hack into networks but rather than making profit by conducting their own cyber campaigns, they'll act as a middleman, selling entry to networks on to other criminals, making money from the sales.
Access via Remote Desktop Protocol (RDP) is the most sought after listings by cyber criminals. This can provide stealthy remote access to an entire corporate network because by allowing attackers to start from legitimate login credentials to remotely control a computer, so are much less likely to arise suspicion of nefarious activity.
This demand – and the potential access it offers – is reflected in the price of listings, with an average selling price for access via starting at $9,765. It's likely that the higher the price, the higher the number of machines the buyer would be able to access – providing more opportunity for exploitation.
This method of access is particularly popular among ransomware gangs, who can potentially make back what they pay for access many times over by issuing ransom demands of hundreds of thousands or even millions of dollars: $10,000 on initial access is almost nothing, if the target can be squeezed to pay a bitcoin ransom.
Expensive access listings are likely reflected in the quality of the target, Stefano De Blasi, threat researcher at Digital Shadows told ZDNet, "for example, RDP access with admin privileges and access to sensitive data."
Selling RDP access isn't a new trend, but the rise in remote working over the last year has seen enterprises suddenly switch to using much more RDP access, providing cyber criminals with additional avenues of attack.
Often, it's relatively simple for the cyber criminals acting as access brokers to find insecure RDP connections with publicly available tools. And it's still common for RDP to be set-up with easy-to-guess or default passwords. Ultimately, it's easy money for the seller to take these details and pass them on.
Analysis of some of the most popular forums for selling RDP credentials found that education, healthcare, technology, industrial and telecommunications are the most popular targets. Organisations in any of these industries would be a potentially lucrative target for a ransomware attacker.
Cyber criminals will continue to exploit RDP as a means of breaching networks, so it's important that organisations have a strategy to ensure the security of remote access when it's required – that can be as simple as applying multi-factor authentication and avoiding the use of easily guessable passwords.
"In practice, the fundamentals of protecting information such as one-time complex passwords and IT monitoring practices can go a long way in thwarting most superficial attacks," said Blasi.
Original Post: ZD Net