1.3 Million RDP Server Logins Collected from Hacker Market
UAS Leak Contains Login Names and Passwords for 1.3 million Current and Historically Compromised Windows Remote Desktop Servers.
This massive leak is offering the researchers, for the first time, a glimpse into the bustling cybercrime economy, meanwhile putting into a new perspective the ways in which they can use the data to tie up loose ends on previous cyberattacks.
Why is RDP so important?
Remote Desktop Protocol (RDP) is meant to be a secure, interoperable protocol that enables network terminals, having the job to create and establish secure connections between the clients and servers or virtual machines.
With RDP working across different Windows operating systems and devices, it’s the most sought-after listing by cybercriminals.
The criminals can obtain access to an entire corporate network with the attack starting from perfectly legitimate login credentials, in this way the attackers can remotely control a computer, and the system will not recognize the nefarious activity taking place, therefore no security measure will be used, allowing the criminals to have full and uninterrupted access.
UAS, and its implication in the RDP credentials fraud.
UAS, also known as ‘Ultimate Anonymity Services,’ is a marketplace that sells Windows Remote Desktop login credentials, stolen Social Security Numbers, as well as access to SOCKS proxy servers.
UAS stands out by being such a large marketplace, and by offering manual verification of sold RDP account credentials, customer support, and tips regarding ways in which you can maintain remote access to a compromised computer.
The market functions partially like eBay – a variety of Suppliers work with the market. They have a separate place to log in and upload the RDPs they hacked. The system will then verify them, collect information about all (os, admin access, internet speed, CPU, memory, etc), which is added to the listing.
The supplier interface provides real-time stats for the suppliers (what sold, what didn’t, what was sold but a refund was asked for, etc).
They also provide support if for a few reasons what you purchased doesn’t work. They do take customer support seriously.
When purchasing stolen RDP accounts, threat actors can seek compromised devices in a particular country, state, city, zip code, ISP, or OS, allowing them to seek out the particular server they need.
Potential buyers can dig down deeper on each server to visualize the amount of Windows accounts, the web connection speed, the server’s hardware, and more, as shown below.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
From the data gathered by researchers at this time UAS is selling a massive 23,706 RDP credentials, even with the filtering of servers being considered.