Blog

Our experts' unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Blog > Cybercrime > “Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs

“Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs

Cybercrime

Dark Web marketplaces selling access to compromised Remote Desktop Protocol (RDP) servers have become increasingly popular in the cybercriminal ecosystem over the past several years. UAS — which stands for “Ultimate Anonymity Services” — is one such popular cybercriminal RDP shop that has been online since February 16, 2016.  UAS offers SOCKs proxies in addition to over 35,000 brute forced RDPs for sale. 

Image 1: The first post by the UAS team on their website, written in English and Russian, details the gang's motivations for setting up their RDP shop. The post, translated from the original Russian, reads: 

Image 1: The first post by the UAS team on their website, written in English and Russian, details the gang’s motivations for setting up their RDP shop. The post, translated from the original Russian, reads: 

Hello all!!! Today we opened our service, into which we invested a lot of time and effort. Right now, we have bruteforced RDP-servers for sale at very low prices, as well as SOCKS. Soon, we’ll be offering SSH-tunnels, VPN, and Shells for sale. We hope you will like us, and that you will find everything you are looking for!!!! We will always be happy to listen to your suggestions regarding the functionality and design of the service, as well as suggestions for improvements, etc. Write using our ticket system…

P.S. Before using our service we strongly recommend that you familiarize yourself with our rules and pricing. Just like in the real world, ignorance of the law does not absolve you of responsibility, same here, not knowing our rules does not excuse you from responsibility if you break them.

UAS offers RDPs sourced from countries across the world; however, in keeping with Eastern European cybercriminal norms, the shop does not offer RDPs from the Commonwealth of Independent States (CIS). Flashpoint analysts evaluated sample data from a variety of countries to determine targeting across the globe and discovered that China, Brazil, India, Spain, and Colombia appear to be among the countries with the greatest number of RDPs for sale on UAS:

• China — 7,216 RDPs

• Brazil — 6,143 RDPs 

• India — 3,062 RDPs 

• Spain — 1,335 RDPs

• Colombia — 929 RDPs 

Image 2: Flashpoint analysts evaluated the number of RDPs offered for sale for more than thirty sample countries. 

Image 2: Flashpoint analysts evaluated the number of RDPs offered for sale for more than thirty sample countries

Flashpoint analysts assess with a low degree of confidence that the aforementioned countries may have a higher number of exposed RDPs due to lax cybersecurity hygiene involving remote connection monitoring. 

Additionally, UAS offers approximately 300 U.S.-based RDPs. Flashpoint investigated various RDP servers available within the United States and determined that most of the RDPs are geographically aggregated across a few specific zip codes. Such concentration possibly indicates opportunistic exploitation of a handful of companies utilizing multiple RDPs; it is likely that these companies have lax security measures, leading to a greater number of vulnerable RDPs.  

Image 3: Flashpoint analysis reveals a concentration of compromised RDPs across only four geographic regions within the United States. 

Image 3: Flashpoint analysis reveals a concentration of compromised RDPs across only four geographic regions within the United States

 The most popular U.S. zip codes in the UAS dataset are as follows:

• 20146 – Ashburn, Virginia — 52 RDPs 

• 43085 – Franklin County, Ohio — 52 RDPs

• 94043 – Santa Clara County, California — 43 RDPs

• 97086 – Clackamas County, Oregon — 36 RDPs

• 94536 – Alameda County, California — 30 RDPs

In line with their research on the xDedic dataset (xDedic is another major RDP shop available to cybercriminals and a UAS competitor), Flashpoint analysts discovered RDPs sourced from healthcare, education, and government entities for sale on UAS.  

RDPs sold on UAS are priced around $10 USD regardless of country of origin, victim operating system, administrative rights, or other factors. By contrast, xDedic sells RDPs at a minimum of around $10 USD, with prices sometimes reaching upwards of $100 USD. Flashpoint analysts did not determine what conditions and factors influence this discrepancy in prices between the two shops.

Interestingly, UAS lays out their pricing model for their RDPs in their FAQ section. The pricing is as follows: 

Image 4: Pricing model for UAS RDPs

Image 4: Pricing model for UAS RDPs

Other factors can increase the price of a compromised RDP on UAS, such as an RDP with an open port 25 or an RDP added to the site less than five hours prior. Altogether, the maximum price for an RDP on UAS is $15 USD.

Flashpoint’s analysis of Deep & Dark Web (DDW) chatter revealed interest in both UAS and xDedic on many Russian-language forums, as well as on one prominent French-language forum.

Assessment

Compromised RDP servers are used both as instruments of anonymity and also oftentimes as a means of providing direct access to victim networks. Over the past several years, Flashpoint analysts have discovered that various hospitality, retail, and online payment services have been breached as a result of criminal syndicates utilizing fraudulently obtained RDP access. 

As RDPs are set up for remote access to an office’s resources, they provide an initial vector into the target organization. By elevating privileges, threat actors can pivot from the environment to which the RDP server provided access to other, more target-rich environments. This could potentially allow actors access to proprietary internal documents or resources, as well as entry points in which to drop various payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals. 

Preemptive measures to protect one’s organization against RDP exploitation include conducting audits and reviews of any externally accessible RDP connections to organization networks. RDP access should be protected by a strong and complex password in order to frustrate threat actors’ potential efforts to brute force access to corporate environments.

Overall, Flashpoint assesses with moderate confidence that UAS’s lower prices may contribute to the growing popularity of the shop among cybercriminals.

Related Posts

About the author: Liv Rowley

Liv Rowley is an Intelligence Analyst at Flashpoint. She speaks fluent Spanish and specializes in analyzing threats emerging from the Spanish-language underground with an emphasis on Latin America. Prior to Flashpoint, Olivia’s passion for Latin America and the Middle East led her to pursue extensive research on the languages, culture, and political climate of these regions. She has studied abroad in Madrid, Spain and holds a bachelor’s degree in International Relations with a concentration in International Security from Tufts University.

About the author: Vitali Kremez

Vitali Kremez is a Director of Research at Flashpoint. He oversees analyst collection efforts and leads a technical team that specializes in researching and investigating complex cyber attacks, network intrusions, data breaches, and hacking incidents. Vitali is a strong believer in responsible disclosure and has helped enterprises and government agencies deliver indictments of many high-profile investigations involving data breaches, network intrusions, ransomware, computer hacking, intellectual property theft, credit card fraud, money laundering, and identity theft. Previously, Vitali enjoyed a rewarding career as a Cybercrime Investigative Analyst for the New York County District Attorney's Office.

He has earned the majority of certifications available in the information technology, information security, digital forensics, and fraud intelligence fields. A renowned expert, speaker, blogger, and columnist, Vitali has contributed articles to Dark Reading, BusinessReview, and Infosecurity Magazine and is a frequent commentator on cybercrime, hacking incidents, policy, and security.