This past June, CyberProof, an MSSP using Cybersixgill’s Investigative Portal, was approached by a client who had been targeted by a ransomware attack. Noa Raz, CyberProof’s Senior CTI analyst, understood that the ransomware group behind the attack had exploited compromised RDP connections as a means for establishing initial network access. This is in fact a popular way for major ransomware groups to gain their first step into the targeted network.
The analyst discovered that the client had an exposed RDP server whose IP address began 52.172... From there, she searched these two octets in the Cybersixgill Investigative Portal. The analyst discovered that a machine with matching octets and other metadata (including geolocation) was sold on a dark web RDP market known as a popular source for ransomware groups to purchase initial network access.
With this intel in hand, the analyst concluded that there was a significant likelihood that the attacker had purchased access to the vulnerable server on this dark web market. Thus, empowered by Cybersixgill’s Portal, she was able to map out a coherent forensic hypothesis for the attack.
Just how many compromised RDP connections are sold on underground markets? Over the span of a year (June 1st, 2020 to May 31st, 2021), Cybersixgill observed a total 325,917 RDP connections listed for sale on the underground. This is in addition to the nearly 4.6 million endpoints and other remote protocols and systems that are also for sale on the deep and dark web. Anyone can purchase access on these markets, sometimes for as little as several dollars apiece. While deploying ransomware is a lucrative way to abuse access, actors can also abuse access by siphoning system resources, harvesting confidential information, and assuming control of logged-in financial accounts.
Furthermore, while this incident presents a scenario in which intel from these RDP markets can be used in a forensic investigation, Cybersixgill customers can leverage this intelligence proactively to prevent threats from these markets before they materialize. Through the Investigative Portal, customers receive automated alerts whenever their assets are mentioned on the underground. And with Cybersixgill’s Darkfeed, an automated, real-time feed of malicious IOCs, customers can consume and block the IP addresses of compromised RDP connections that are shared freely on underground forums - before they are deployed or weaponized by underground threat actors.
Indeed, several months ago, a Cybersixgill Darkfeed customer, a $2B+ revenue financial services company, received an alert that they had outgoing network traffic to an IP address that was flagged by Darkfeed as having a compromised RDP connection. Using this intel, the customer was able to rapidly triage and prevent this potential attack.