Dark Web marketplaces selling access to compromised Remote Desktop Protocol (RDP) servers have become increasingly popular in the cybercriminal ecosystem over the past several years. UAS — which stands for “Ultimate Anonymity Services” — is one such popular cybercriminal RDP shop that has been online since February 16, 2016. UAS offers SOCKs proxies in addition to over 35,000 brute forced RDPs for sale.
Image 1: The first post by the UAS team on their website, written in English and Russian, details the gang’s motivations for setting up their RDP shop. The post, translated from the original Russian, reads:
Hello all!!! Today we opened our service, into which we invested a lot of time and effort. Right now, we have bruteforced RDP-servers for sale at very low prices, as well as SOCKS. Soon, we’ll be offering SSH-tunnels, VPN, and Shells for sale. We hope you will like us, and that you will find everything you are looking for!!!! We will always be happy to listen to your suggestions regarding the functionality and design of the service, as well as suggestions for improvements, etc. Write using our ticket system…
P.S. Before using our service we strongly recommend that you familiarize yourself with our rules and pricing. Just like in the real world, ignorance of the law does not absolve you of responsibility, same here, not knowing our rules does not excuse you from responsibility if you break them.
UAS offers RDPs sourced from countries across the world; however, in keeping with Eastern European cybercriminal norms, the shop does not offer RDPs from the Commonwealth of Independent States (CIS). Flashpoint analysts evaluated sample data from a variety of countries to determine targeting across the globe and discovered that China, Brazil, India, Spain, and Colombia appear to be among the countries with the greatest number of RDPs for sale on UAS:
• China — 7,216 RDPs
• Brazil — 6,143 RDPs
• India — 3,062 RDPs
• Spain — 1,335 RDPs
• Colombia — 929 RDPs
Image 2: Flashpoint analysts evaluated the number of RDPs offered for sale for more than thirty sample countries
Flashpoint analysts assess with a low degree of confidence that the aforementioned countries may have a higher number of exposed RDPs due to lax cybersecurity hygiene involving remote connection monitoring.
Additionally, UAS offers approximately 300 U.S.-based RDPs. Flashpoint investigated various RDP servers available within the United States and determined that most of the RDPs are geographically aggregated across a few specific zip codes. Such concentration possibly indicates opportunistic exploitation of a handful of companies utilizing multiple RDPs; it is likely that these companies have lax security measures, leading to a greater number of vulnerable RDPs.
Image 3: Flashpoint analysis reveals a concentration of compromised RDPs across only four geographic regions within the United States
The most popular U.S. zip codes in the UAS dataset are as follows:
• 20146 – Ashburn, Virginia — 52 RDPs
• 43085 – Franklin County, Ohio — 52 RDPs
• 94043 – Santa Clara County, California — 43 RDPs
• 97086 – Clackamas County, Oregon — 36 RDPs
• 94536 – Alameda County, California — 30 RDPs
In line with their research on the xDedic dataset (xDedic is another major RDP shop available to cybercriminals and a UAS competitor), Flashpoint analysts discovered RDPs sourced from healthcare, education, and government entities for sale on UAS.
RDPs sold on UAS are priced around $10 USD regardless of country of origin, victim operating system, administrative rights, or other factors. By contrast, xDedic sells RDPs at a minimum of around $10 USD, with prices sometimes reaching upwards of $100 USD. Flashpoint analysts did not determine what conditions and factors influence this discrepancy in prices between the two shops.
Interestingly, UAS lays out their pricing model for their RDPs in their FAQ section. The pricing is as follows:
Image 4: Pricing model for UAS RDPs
Other factors can increase the price of a compromised RDP on UAS, such as an RDP with an open port 25 or an RDP added to the site less than five hours prior. Altogether, the maximum price for an RDP on UAS is $15 USD.
Flashpoint’s analysis of Deep & Dark Web (DDW) chatter revealed interest in both UAS and xDedic on many Russian-language forums, as well as on one prominent French-language forum.
Compromised RDP servers are used both as instruments of anonymity and also oftentimes as a means of providing direct access to victim networks. Over the past several years, Flashpoint analysts have discovered that various hospitality, retail, and online payment services have been breached as a result of criminal syndicates utilizing fraudulently obtained RDP access.
As RDPs are set up for remote access to an office’s resources, they provide an initial vector into the target organization. By elevating privileges, threat actors can pivot from the environment to which the RDP server provided access to other, more target-rich environments. This could potentially allow actors access to proprietary internal documents or resources, as well as entry points in which to drop various payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals.
Preemptive measures to protect one’s organization against RDP exploitation include conducting audits and reviews of any externally accessible RDP connections to organization networks. RDP access should be protected by a strong and complex password in order to frustrate threat actors’ potential efforts to brute force access to corporate environments.
Overall, Flashpoint assesses with moderate confidence that UAS’s lower prices may contribute to the growing popularity of the shop among cybercriminals.