Skip navigation

Education, Healthcare & Government Targeted by Stolen RDP Logins

Education, healthcare and government are among the most frequently targeted industries, at least when it comes to the amount of stolen remote desktop protocol (RDP) logins up for sale on the dark web, according to an analysis of 85,000 servers from Flashpoint. Other targeted industries include legal and aviation.

Microsoft’s RDP client allows a user to remotely connect to another computer running RDP software over a network connection. It provides a way for system administrators to provide tech support to servers and PCs remotely. While convenient for remote administrators, it’s also a convenient point of entry for malicious hackers that use brute-force, or programmatic password-guessing attacks to get access to RDP servers.

Online criminals use these attacks to find legitimate RDP credentials and put them up for sale on one of the largest dark web marketplaces known as xDedic, effectively selling access to RDP servers connected to systems belonging to educational institutions, healthcare organizations, federal entities, legal firms and many others.

That means malicious hackers can move laterally within the network, create backdoors, install malware, steal data, alter settings and more if they can access RDP servers using just a username and password. Windows systems are often the most frequently targeted platform; unsurprisingly, accounting for 63% of devices, according to our analysis of data in The 2016 Duo Trusted Access Report (stay tuned - our 2017 edition is coming soon). Another 65% of Windows devices are running an old version of the operating system, Windows 7, which means they’re missing out on many security features of the latest version, Windows 10.

Back when I wrote about xDedic last summer, it was defunct - now it appears to have emerged once again on the dark web, accessible via Tor with a new address. In a June 2016 report from Kaspersky Lab, access to over 70,000 servers from 173 different countries was up for sale on xDedic. They also found 453 servers with point-of-sale (POS) software installed, meaning they may have been used for some type of credit and debit card processing by companies in the retail industry.

In an analysis of one hacked server, Kaspersky Lab found that attackers compromised it by brute-forcing the RDP password, then installed malware that connected to a command & control (C&C) server. In an analysis of the victim servers that connected to several of the C&C servers that Kaspersky Lab had sinkholed, they were able to identify government entities and universities as some of the high-profile targets.

How can organizations protect against the risk of stolen and sold RDP credentials? Take inventory of your administrator RDP accounts and remove them if they’re not necessary to reduce your attack surface.

Then implement two-factor authentication to protect access to every RDP account login using secure methods like U2F or Duo Push to mitigate the risk of a remote attacker logging into your RDP servers with a brute-forced password. That way, the attacker would need to physically tap your USB device or approve a push notification on your phone, in addition to using your password to be granted access.

Guide to Securing Remote Access Cover Download our free guide, The Essential Guide to Securing Remote Access: Preventing Data Breaches With Strong Authentication to learn more about:

Ideal for security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for any organization that needs to secure remote access to their environment.

Thu Pham

Information Security Journalist

@Thu_Duo

Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.