Thousands of RDP credentials of a Major Airport Sold on the Dark Web fe-shopcc, zukkoshopcc
A recent report revealed that systems credentials at an international airport were sold for only $10. According to the airport administrators who verified the genuineness of the credentials, the stolen credentials allows the building of automation systems and the control of systems linked to security.
According to the report, the stolen details were for the remote desktop protocol (RDP) of the airport, which gives employees the opportunity of working through computers remotely.
For several years, the SamSam ransomware group has utilized RDP credentials to launch attacks on systems .
According to The Verge , a Russian-language has sold thousands of hacked computers in the US. The hacked computers include those for building automation systems and those linked to airport security.
McAfee discovered the sale and immediately started an underground investigation in the marketplaces where the security systems are sold.
For several years, Microsoft has been teaching system administrators to use Remote Desktop Protocol to control other computer systems.
But it seems the system administrators are not the only group looking for this knowledge. Several cybercriminals have started targeting the RDP-enabled systems, as they make use of them to carry out various hacking schemes.
According to the report , a Russian-language site known as the Ultimate Anonymity Service has provided access to more than 40,000 RDP systems. While some of them are based in the US, many of them are Windows-based servers.
McAfee researchers revealed that during their investigation, the hackers are selling a simple configuration for $3 and a high-bandwidth system configuration for as little as $19. The configuration gives the buyer access to administrator rights.
According to the McAfee researchers, the whole data compromise process by the hackers was not too complicated as expected. The researchers said these hackers usually scan the web to find systems that are responsive to RDP connections. Once they find such systems, they launch a brute-force attack using very popular password cracking tools.
After compromising and stealing the details, they proceed to the anonymous marketplace to sell their loot. This leads to more cybercrime since those who buy the stolen details can launch their attack in the future.
An infiltrated server can be used as a launching avenue to create spam emails. With the infiltrated server, threat actors can send out malware use it can be used to mine cryptocurrency without the knowledge of the owner.
In worse cyber attacks, the threat actors can infect a server with ransomware or steal all of the data from the compromised server. That attack can result in further attacks in the future that can result in identity theft and fraud.
According to McAfee researchers, the affected airport systems were offered for sale as access to Windows-based servers . However, upon further investigation, the cybersecurity company found that the vulnerable airport system used IP addresses from a major airport.
The same vulnerable server was also leaked on the internet, as it utilizes user accounts connected to two firms specializing in airport security.
Another surprising thing is the fact that the underground marketplace where these stolen credentials are sold has been around and operational for some years.
In line with the latest discoveries, McAfee has recommended that system administrators should always use two-factor authentication and complicated passwords to protect their systems, especially on systems with remote access capabilities.
Also, RDP connections need to be protected by a firewall and their system admins need to do a regular checkup to discover unusual login attempts on time.
Two months ago, NBC News carried a report about the discovery made by cybersecurity firm Trustwave. According to the report, Trustwave caught a hacker who was selling 245 million records of personal data and 186 million US voters’ records on the dark web.
The firm is involved in dark web investigations, and it has caught other hackers who are selling similar hacked credentials on the dark web.