Cyber-Criminals Using Compromised RDP Servers to Anonymize Attacks

Research by security firm Flashpoint has found that more than 35,000 remote desktop protocol (RDP) servers have been compromised by hackers, who use them as a way of anonymizing cyber-attacks.


More than 35,000 servers that host remote desktops for companies have been compromised by an Eastern European group that is selling access to the computers for less than $15 each, threat-intelligence firm Flashpoint stated in an analysis published on Oct. 24.

The compromised remote desktop protocol (RDP) servers allow the dark-web group to offer anonymization services and access to any information on the servers. While the lion’s share of the servers are in some of the fastest growing countries—with China, Brazil and India accounting for almost half of all compromised servers—hundreds of servers are based in the United States. Most often, the infected servers belong to healthcare companies, educational institutions and government agencies.

“All sorts of data can be stolen via compromised RDPs,” Olivia Rowley, intelligence analyst at Flashpoint told eWEEK. “Cyber-extortionist(s) … (have) likely utilized RDPs in order to steal personally identifiable information and other sensitive data from clients of a variety of businesses.”

The remote desktop protocol (RDP) is a common way for companies to offer remote desktop access. A variety of RDP applications—from TeamViewer to LogMeIn to the default clients on Windows and Mac OS X—allow users to access their systems from a remote location.

Yet, when the attacker gains access to the password—and two-factor authentication is not enabled—RDP software essentially becomes a remote access Trojan. In June 2016, for example, users of TeamViewer began complaining that unauthorized users were gaining access to their accounts.

An IBM researcher accounted how his home office was almost breached because of the attack: “Had I not been there to thwart the attack, who knows what would have been accomplished. Instead of discussing how I almost got hacked, I’d be talking about the serious implications of my personal data leak.”

Using compromised computers as a way of anonymizing the source of cyber-attacks is a favorite technique. Criminal enterprises are following the lead of the online business world, turning complex techniques into cloud-based services.

“Compromised RDP servers are used both as instruments of anonymity and also often times as a means of providing direct access to victim networks,” Rowley stated in the online analysis. “Over the past several years, Flashpoint analysts have discovered that various hospitality, retail, and online payment services have been breached as a result of criminal syndicates utilizing fraudulently obtained RDP access.”

The group focused on by the Flashpoint analysis is a new player, which only started selling access to compromised RDP servers in February. Prices for the servers vary from $3 to $10. The price significantly undercuts another major player, which sold similar access costing from $10 to $100.

Since RDP servers are often used by third-party service providers, the systems are often connected to back-end retail systems, allowing a successful attacker access to credit- and debit-card details, Rowley said.

“Cyber-criminals may also use RDPs to gain access to point-of-sale (POS) terminals, thereby granting them access to financial information from recent and ongoing transactions,” she said.

Companies should take proactive measures to protect themselves, by conducting regular audits and scans of their own networks for the protocol and require strong passwords be used for any RDP server accessible from the Internet, Flashpoint said. Stopping brute-force password guessing can eliminate much of the current threat, the company said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...