Cyber criminals are offering remote access to IT systems for just $10 via a dark web hacking store -- potentially enabling attackers to steal information, disrupt systems, deploy ransomware and more.
The sales of backdoor access to compromised systems was uncovered by researchers at security company McAfee Labs looking into the sale of remote desktop protocol (RDP) access to hacked machines on underground forums -- some of which are selling access to tens of thousands of compromised systems.
RDP access is a standard tool which allows one user to connect to and control another user's computer over a network. The process is often used for support and administration, but in the wrong hands, RDP can be leveraged with devastating consequences -- researchers point to how SamSam ransomware campaigns begin with RDP access as an example of this.
Leveraging RDP access also provides a bonus to the attacker because they don't need to use tools like spear-phishing emails or exploit kits.
Systems advertised for sale on the forum range from Windows XP through to Windows 10, with access to Windows 2008 and 2012 Server most common. The store owners also offer tips for how those using the illicit logins can remain undetected.
Examining the IP addresses of compromised machines listed in one online store led researchers to discover that three belonged to a single international airport.
"This is definitely not something you want to discover on a Russian underground RDP shop," said John Fokker, head of cyber investigations for McAfee Advanced Threat Research.
Further investigation found that two of the IP addresses were presented alongside a screenshot of a login screen which could be accessed via RDP with three user accounts tied to the system -- one of which being the administrator account.
Perhaps most significantly, McAfee says the accounts are associated with two companies which provide airport security: one in camera surveillance, and one in security and building automation.
But with tens of thousands of RDP logins for sale, the airport wasn't the only sensitive system found up for sale -- researchers discovered criminals selling access to devices in government, hospitals and nursing homes.
All of those organisations which have been identified as having access to their systems up for sale have been informed and McAfee is working with them to uncover how machines were compromised.
In order to protect against this type of attack, researchers recommend the use of complex passwords and two-factor authentication, and disabling RDP connections over the internet. It's also recommended that system administrators keep an eye out for suspicious IP addresses and unusual login attempts.
"Even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock. Just as we check the doors and windows when we leave our homes, organizations must regularly check which services are accessible from the outside and how they are secured," said Fokker.
READ MORE ON CYBER CRIME
- Windows RDP flaw: 'Install Microsoft's patch, turn on your firewall'
- Researchers find stolen military drone secrets for sale on the dark web (CNET)
- The Dark Web: How much is your bank account worth?
- Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic)
- Cheap crimeware kits help wannabe hackers get into the malware business