A threat prevention firm is claiming to have access to 1.3 million breached RDP servers and their credentials, which were put up for sale on a popular dark web site.
New York-headquartered Advanced Intelligence is offering a new free service enabling concerned organizations to check if their RDP servers were part of the trove.
Ultimate Anonymity Services (UAS) has been running for around five years on the dark web, specializing in providing access to RDP servers. It’s known to be one of the largest and most reliable such marketplace around.
The market for these offerings has exploded over the course of the pandemic, as remote workers use the Microsoft solution to access their corporate Windows desktop from home.
Attacks targeting RDP increased by 768% between Q1 and Q4 last year, according to ESET’s Q4 2020 Threat Report.
“The [UAS] marketplace is tied to a number of high-profile breaches and ransomware cases across the globe. A number of ransomware groups are known to purchase initial access on UAS,” explained Advanced Intelligence.
“This treasure trove of adversary-space data provides a lens into the cybercrime ecosystem, and confirms that low hanging fruit, such as poor passwords, and internet-exposed RDPs remain one of the leading causes of breaches.”
The threat prevention company’s new RDPwned site invites concerned organizations to submit a request via email, which will be manually verified by the team.
“We will be happy to search for you and your organization based on any reverse DNS, IP addresses, domains, or unique network attributes via the subsequent response email message to the provided contact email address,” it noted.
In the meantime, Advanced Intelligence recommended organizations to enable network-level authentication (NLA), and use two-factor authentication if possible, plus strong and complex passwords.
It also advised RDP-owners to ensure their environment is free from well-known administrative accounts with well-known passwords, and to ensure RDP servers only accept connections from trusted sources.
Organizations can also check Shadowserver’s free service to see if their RDP assets are exposed to the internet.