What can $10 buy you in a hacker marketplace? How about remote access to a major international airport.
A Russian-language site has been selling access to thousands of hacked computers, one of which connected to a US airport’s security and building automation systems, according to new research.
The sale was noticed by cybersecurity firm McAfee, which has been investigating underground marketplaces that specialize in selling remote access to compromised servers.
For years, Microsoft has been offering system administrators a way to control other company computers through the Remote Desktop Protocol or RDP. Unfortunately, RDP-enabled systems have also become a target for cybercriminals, who can use them for a variety of hacking schemes.
The Russian-language marketplace, Ultimate Anonymity Services, has been offering access to around 40,000 RDP systems, McAfee said in a Wednesday blog post. Many are Windows-based servers, and some are based in the US.
“Prices ranged from around US $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights,” McAfee said.
How have so many servers been compromised? It’s actually not as hard as you might think. “Attackers simply scan the internet for systems that accept RDP connections and launch a brute-force attack with popular (password-cracking) tools,” McAfee said in its report.
The attackers can then sell their booty on a marketplace, which can further fuel cybercrime. For instance, a compromised server can be used as a launching pad to generate spam email, send out malware, or to mine cryptocurrency.
In more devious schemes, hackers can steal all the data from a compromised server or infect it with ransomware, leaving the system’s owner to wrestle with the consequences.
In the case of the vulnerable airport system, McAfee said it was simply being sold as access to a Windows-based server. However, the security firm began digging further and noticed that it used IP addresses from a major airport. The same server was also exposed on the open internet and contained user accounts relating to two companies that specialize in airport security.
Although the incident is certainly worrisome, underground marketplaces that sell RDP access to hacked servers have been around for years. McAfee recommends that system administrators use complex passwords and two-factor authentication on computers that offer remote access. RDP connections should also be firewalled and regular checks should be made to lookout for unusual login attempts.