Hacked RDP usernames and passwords sold online

The login details (IP addresses, usernames and passwords) of about 1.3 million compromised Windows Remote Desktop Protocol (RDP) servers have been sold through a hacker marketplace since December 2018, BleepingComputer reports.

UAS (Ultimate Anonymity Services), the largest marketplace for things like RDP login details and other key items of personal data and access credentials, was monitored by a group of security researchers who saw 1,379,609 logons for RDP servers sold since the end of 2018: an average of over 1,800 per day.

What is RDP?

Remote Desktop Protocol (RDP) is a technology developed by Microsoft that allows a user on one computer to access the desktop of another computer over the Internet.

As a result of the Covid-19 pandemic and the huge increase in working from home, RDP has been a common means of accessing devices like PCs and servers inside work from home.

You can read more about using RDP securely in our Think IT Insights RDP article.

Why are RDP vulnerabilities such a big problem?

The widespread use of RDP, up by over 40% as a result of Coronavirus according to ZDNet, means that when issues are discovered there are often many people affected.

RDP is also a common ‘attack vector’ for ransomware; in fact, the FBI state it is by far the most used by attackers.

The other issue is the nature of RDP: as it gives someone remote access to a whole system, if it’s compromised by an attacker it’s quite possible they’ll get full access to the PC or server.

Whilst RDP is functional and can be secured (as set out in our RDP security article), many organisations now seek straightforward, low-cost solutions that are more secure ‘out of the box’. For more information on a simple and secure solution for secure remote access, have a look at our Think IT Insights Splashtop article.

Have my RDP server usernames and passwords been hacked and sold?

New York based threat prevention and loss avoidance firm AdvIntel’s Vitali Kremez, an ethical hacker, was able to access the database of sold credentials and has developed a tool, RDPwned, allowing you to check if your RDP server(s) are among those that have been potentially opened up through UAS.

Without listing anything specific, the three countries with the highest number of compromised accounts sold were the US, China and Brazil, with the UK coming in sixth.

I use RDP, what do I do?

The first thing is to ensure the passwords used for RDP access are ‘strong’, and that if you have any suspicion that RDP might have been compromised, the passwords are changed. There’s more password guidance in our Think IT Insights password guide.

Also, use the RDPwned site to check if your RDP server(s) are in the list. You can send them an email, and they’ll check the details for you.

I’m not sure if I use RDP, what do I do?

Contact your IT support to check. Explain the basic details of the issue and ask for immediate assistance. If you use Think IT, or if you don’t have any IT support, contact us by phone (01392 435803), email (support@thinkit.co.uk) or both.

If you need help with anything else, head to the Contact Us page of the website and get in touch with us.