By Jennifer Lyn Walker
If you have experienced a cyber incident and never determined the actors’ initial access vector, chances are it may have been via an internet accessible Windows Remote Desktop (RDP) server. And given that 1.3 million Windows RDP server and associated login credentials have just been leaked from the largest “hacker” marketplace for stolen RDP credentials, it’s a pretty good chance at that.
The marketplace – UAS, or ‘Ultimate Anonymity Services,’ – most notably sells Windows Remote Desktop (RDP) login credentials and stolen Social Security Numbers. According to researchers at Advanced Intelligence, LLC, the login names and passwords for 1.3 million current and historically compromised Windows RDP servers have recently been leaked. Considering the Multi-State Information Security & Analysis Center® (MS-ISAC®) estimates there are approximately 3.5 million publicly available internet connected RDP devices, 1.3 million is a significant repository of breached servers and associated credentials.
What is Remote Desktop and Why is this a Problem?
RDP provides convenient remote access to corporate resources, but far too often RDP servers are stood up without concern for a secure configuration – such as behind a Remote Desktop Gateway (RDG) or Virtual Private Network (VPN), with limited access, or with the use of complex, unique passwords. These widespread insecure configurations make for a very large attack surface and very trivial attack vector for threat actors.
There is Help
To that end, well-known and respected security researcher and CEO of Advanced Intelligence, LLC, Vitali Kremez launched a new service to help organizations determine if their RDP servers are listed in the UAS database. The website is called RDPwned, and Kremez told BleepingComputer that companies would need to submit contact information from an executive or admin of the company, which Advanced Intel will vet to prevent misuse. Once verified, Advanced Intel will confirm if their company’s servers are listed in RDPwned. The site itself has a very straightforward explanation for what the tool is and how it works, so please check out RDPwned for more information if your organization uses Windows RDP. For more on RDP, attacks leveraging unsecured RDP servers, and recommendations on how to secure your RDP, check out the Center for Internet Security’s (CIS) guide, Exploited Protocols: Remote Desktop Protocol.
Some Parting Points
BleepingComputer obtained a redacted copy of the leaked database and after analyzing the 1.3 million accounts, pulled out some interesting data that should be useful for all computer users and network admins:
- The top five login names found in the sold RDP servers are ‘Administrator‘, ‘Admin‘, ‘User‘, ‘test‘, and ‘scanner‘.
- The top five passwords used by the RDP servers are ‘123456‘, ‘123‘, ‘P@ssw0rd‘, ‘1234‘, and ‘Password1‘.
- The top five represented countries in the database are United States, China, Brazil, Germany, India, and the United Kingdom.
BleepingComputer’s observations are unsurprisingly consistent with commonly published findings throughout the years, and I mean YEARS. However, it is still astonishing that even a pool of 1.3 million credentials yields persistent perpetual password pitfalls. Furthermore, due to our propensity to procrastinate changing our passwords, threat actors have a lot of success out of just one cache of compromised credentials (like this one) – quite honestly, if you’ve seen one, you’ve seen them all. However, not only are passwords persistently predictable, but widespread password reuse only perpetuates the problem.
So, if you think passwords don’t matter, please reconsider that belief. And if you have ever used RDP, check RDPwned to see if your RDP server and associated credentials have been compromised, and then secure your server and change your password to something you have never used before!
- Learn more about Advanced Intelligence at their website and follow the team on Twitter: @IntelAdvanced.
- Hear more from AdvIntel CEO Vitali Kremez in this January 2021 podcast: The Gate 15 Interview: Vitali Kremez, Ethical Hacker & Entrepreneur.
- Advanced Intelligence and Gate 15 are proud sponsors of the Faith-Based Information Sharing and Analysis Organization (FB-ISAO), providing support to threat awareness and preparedness activities.