Fri. Feb 22nd, 2019

Stolen RDP Credentials

Due to an international police takedown, the popular Russian language cybercrime marketplace and forum xDedic Marketplace remains offline.

According to U.S. authorities estimate that xDedic, which was launched in 2014, helped contribute to more than $68 million in global fraud.

On January 24, 2019  the U.S. Department of Justice stated that seizure orders were executed against the domain names of the xDedic Marketplace, effectively ceasing the website’s operation.

The takedown effort was international in its scope, reflecting the distributed infrastructure used by xDedic. The U.S. probe resulting in the seizure order was handeled by the FBI and the Internal Revenue Service’s Criminal Investigation unit.

The xDedic forum is a known source of stolen information and credentials, including remote desktop protocol credentials, in which criminals can gather and sell to others who want to hack into a specific organization.

“The xDedic administrators strategically maintained servers all over the world. In addition, they utilized bitcoin to hide the locations of its underlying servers and the identities of its administrators, buyers and sellers.”

Remote Access on the Cheap

RDP credentials has been a cornerstone of the cybercrime economy. After an 2016 report Kaspersky Lab regarding 250,000 credentials for RDP servers around the world were being sold was released, xDedic closed up shop and reopened as a darknet site, reachable only via the anonymizing Tor browser.

Vitali Kremez, director of research at threat intelligence firm Flashpoint, in April 2017 analyzed exposed dataset from xDedic which that contained RDP access information for 85,000 servers. He also found that the most compromised sectors were education, healthcare, legal and aviation.

Europol says the credentials available for sale on xDedic could be used to gain remote access to organizations across numerous sectors, such as local, state and federal government infrastructure and hospitals .

In 2017, the minimum price of a remote desktop protocol credential on xDedic was $10, where RDP credentials sold for $3 and up

Buyers Will Likely Flock to UA

Its suspected that the  UAS will take over the RDP marketplace, solidifying its standing as the pre-eminent RDP shop, given that its main competitor is out of business. Eventually this,  will lead to more profits for the cybercriminals running UAS and their affiliates as a result.

After AlphaBay and Hansa

That shift has been driven by ongoing police takedowns of cybercrime forums, which has included law enforcement agencies seizing lists of customers and then paying them a visit.

In 2018, the FBI, Europol and law enforcement partners announced the seizure of both the world’s two biggest darknet marketplaces: AlphaBay and Hansa.

The law enforcement takedown of AlphaBay occurred around July 4, 2017, which led many users to switch to Hansa.

However, Dutch police had already seized control of Hansa on June 20, 2017 and the police started monitoring  Hansa for one month before taking it offline.

RDP Credential Harvesting Continues

But criminals’ collection of RDP credentials continues.

To study the problem, for 9.5 days in November 2018, Hudak ran an RDP honeypot, inhere of a Windows 7 virtual machine with mostly default settings.

The system also had an open RDP server, which recorded more than 58,000 logon attempts, using 4,980 different usernames, over the nearly 10 days that the system was active.

Hudak states that the first attacker attempted to exploit the system after accessing it via RDP installed ransomware, while the second and third attempted to establish persistence so they could return later or sell the ability to do so to others.

Furthermore, any firm using RDP should ensure that it is locked down and well monitored.