Dark Web / Market Sells Hacked RDP Access starting from 3$
Stolen or brute-forced remote desktop protocol (RDP) credentials have played a central role in many data breaches over the years.
Cybercriminals have made a business out of selling them on the underground market. For as little as $3, hackers can buy remote access into sensitive systems belonging to businesses, municipalities and even airports.
The dark web contains RDP shops, online platforms selling remote desktop protocol (RDP) access to hacked machines, from which one can buy logins to computer systems to potentially cripple cities and bring down major companies.
While researching underground hacker marketplaces, the McAfee Advanced Threat Research team has discovered that access linked to security and building automation systems of a major international airport could be bought for only US$10.
RDP, a proprietary protocol developed by Microsoft that allows a user to access another computer through a graphical interface, is a powerful tool for systems administrators. In the wrong hands, RDP can be used to devastating effect.
How do attackers use RDP Access?
False Flag / Clearing Traces:
- Using RDP access to create misdirection is one of the most common applications.
- Attackers can plant this flag by compiling malicious code on the victim’s machine,
- purposely creating false debugging paths and changing compiler environment traces, purposely creating false debugging paths and changing compiler environment traces.Spam:
- Spammers use giant botnets such as Necrus and Kelihos.
- RDP access is popular among a subset of spammers.Account abuse, credential harvesting, and extortion:
- By accessing a system via RDP, attackers can obtain almost all data stored on a system.
- This information can be used for identity theft, account takeovers, credit card fraud, and extortion, etc.Cryptomining:
- The increase in illegal cryptocurrency mining due to the rising market value of digital currencies.
- Found several criminal forums actively advertising Monero mining as a use for compromised RDP machines.Recommendations:
- Make sure that sensitive systems are not exposed directly to the internet.
- If remote management via RDP is needed, this could be augmented with a VPN.
- Using complex passwords and two-factor authentication will make brute-force RDP attacks harder to succeed
- Lock out users and block or timeout IPs that have too many failed login attempts
- Regularly check event logs for unusual login attempts
Singapore’s Largest Healthcare Group Hacked, 1.5 Million Patient Records Stolen
Singapore’s largest healthcare group, SingHealth, has suffered a massive data breach that allowed hackers to snatch personal information on 1.5 million patients who visited SingHealth clinics between May 2015 and July 2018.
According to an advisory released by Singapore’s Ministry of Health (MOH), along with the personal data, hackers also managed to stole ‘information on the outpatient dispensed medicines’ of about 160,000 patients, including Singapore’s Prime Minister Lee Hsien Loong, and few ministers.
The stolen data includes the patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.
The Ministry of Health said the hackers “specifically and repeatedly” targeted the PM’s “personal particulars and information on his outpatient dispensed medicine.”
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) also confirmed that “this was a deliberate, targeted, and well-planned cyberattack.”on other websites.
Since the healthcare sector is part of the critical nation’s infrastructure, alongside water, electricity, and transport, it has increasingly become an attractive target for hackers.
In the past few years, reported several hacks and data breaches, targeting the healthcare sector. Just last month, it was revealed that DNA registries of more than 92 million MyHeritage customers were stolen in the previous year by some unknown hackers.
CISCO has released Patches for 25 Wireless Vulnerabilities
According to Cisco, the vulnerability is due to a lack of authentication, meaning an attacker could gain access and make changes to existing repositories and create new ones.
Cisco has advised users of its Policy Suite that it has discovered vulnerabilities, which allow remote attackers to access different features of the solution.
A vulnerability in the Cluster Manager could allow a remote attacker to log into an affected system using the root account, which has a default, static user credentials.
An exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.
The vulnerability affects releases prior to Release 18.2.0, with no workarounds that can address it. The tech giant has released free software updates that address the vulnerability, with its security incident response team believing that there has not been any malicious use.
The previous week other vulnerabilities were announced by the company for its web-based user interface of the Cisco IP Phone 6800, 7800 and 8800 Series, plus others.