RDPwned – New tool checks if your corporate RDP server credentials have been compromised

22 April 2021

By Jennifer Lyn Walker

If you have experienced a cyber incident and never determined the actors’ initial access vector, chances are it may have been via an internet accessible Windows Remote Desktop (RDP) server. And given that 1.3 million Windows RDP server and associated login credentials have just been leaked from the largest “hacker” marketplace for stolen RDP credentials, it’s a pretty good chance at that.

The marketplace – UAS, or ‘Ultimate Anonymity Services,’ – most notably sells Windows Remote Desktop (RDP) login credentials and stolen Social Security Numbers. According to researchers at Advanced Intelligence, LLC, the login names and passwords for 1.3 million current and historically compromised Windows RDP servers have recently been leaked. Considering the Multi-State Information Security & Analysis Center® (MS-ISAC®) estimates there are approximately 3.5 million publicly available internet connected RDP devices, 1.3 million is a significant repository of breached servers and associated credentials.

What is Remote Desktop and Why is this a Problem?

RDP provides convenient remote access to corporate resources, but far too often RDP servers are stood up without concern for a secure configuration – such as behind a Remote Desktop Gateway (RDG) or Virtual Private Network (VPN), with limited access, or with the use of complex, unique passwords. These widespread insecure configurations make for a very large attack surface and very trivial attack vector for threat actors.

There is Help

Vitali Kremez, CEO of Advanced Intelligence, LLC

To that end, well-known and respected security researcher and CEO of Advanced Intelligence, LLC, Vitali Kremez launched a new service to help organizations determine if their RDP servers are listed in the UAS database. The website is called RDPwned, and Kremez told BleepingComputer that companies would need to submit contact information from an executive or admin of the company, which Advanced Intel will vet to prevent misuse. Once verified, Advanced Intel will confirm if their company’s servers are listed in RDPwned. The site itself has a very straightforward explanation for what the tool is and how it works, so please check out RDPwned for more information if your organization uses Windows RDP. For more on RDP, attacks leveraging unsecured RDP servers, and recommendations on how to secure your RDP, check out the Center for Internet Security’s (CIS) guide, Exploited Protocols: Remote Desktop Protocol.

Some Parting Points

BleepingComputer obtained a redacted copy of the leaked database and after analyzing the 1.3 million accounts, pulled out some interesting data that should be useful for all computer users and network admins:

  • The top five login names found in the sold RDP servers are ‘Administrator‘, ‘Admin‘, ‘User‘, ‘test‘, and ‘scanner‘.
  • The top five passwords used by the RDP servers are ‘123456‘, ‘123‘, ‘P@ssw0rd‘, ‘1234‘, and ‘Password1‘.
  • The top five represented countries in the database are United StatesChinaBrazilGermanyIndia, and the United Kingdom.

BleepingComputer’s observations are unsurprisingly consistent with commonly published findings throughout the years, and I mean YEARS. However, it is still astonishing that even a pool of 1.3 million credentials yields persistent perpetual password pitfalls. Furthermore, due to our propensity to procrastinate changing our passwords, threat actors have a lot of success out of just one cache of compromised credentials (like this one) – quite honestly, if you’ve seen one, you’ve seen them all. However, not only are passwords persistently predictable, but widespread password reuse only perpetuates the problem.

So, if you think passwords don’t matter, please reconsider that belief. And if you have ever used RDP, check RDPwned to see if your RDP server and associated credentials have been compromised, and then secure your server and change your password to something you have never used before!