
1.3 Million Windows RDP Logins Stolen and Sold on Dark Web
Remote Desktop Protocol (RDP) is one of the most widely used services to remotely control other systems. However, when left open, the system is vulnerable to complete remote control to whomever decides to access it. Essentially, it is like the hacker is sitting right in front of the mouse and keyboard controlling the system. Now imagine the extent and potential impact 1.3 million windows RDP logins stolen and being sold on the dark web.
The Dark Web Marketplace
The actor behind the leak is known as Ultimate Anonymity Services, or UAS. UAS is a very popular and the largest cyber-criminal marketplace known for its sale of sensitive information and various account credentials. Malicious actors can access UAS and obtain information such as leaked social security numbers, SOCKS proxies, as well as RDP login information. UAS prices generally range from $3 to $15 for RDP login credentials and even provides customer support and aid an attacker in keeping future access to the system they purchased RDP credentials to.
1.3 Million RDP Logins Leaked
Recently, UAS released stolen RDP credentials for 1.3 million (1,379,609 to be exact) active and previously compromised systems. These credentials can access systems in countries all across the globe and also includes logins for government agencies and high profile organizations and businesses.
In an analysis of the login credentials here are some of the top discoveries:
Top 10 Login Names:
- Administrator
- Admin
- User
- Test
- Scanner
- Scan
- Guest
- IME_ADMIN
- User1
- Administrador
Top 10 Passwords:
- 123456
- 123
- P@ssw0rd
- 1234
- Password1
- 1
- Password
- 12345
- admin
- ffff-ffc0M456x
Top 10 Countries:
- United States
- China
- Brazil
- Germany
- India
- United Kingdom
- France
- Spain
- Canada
- Hong Kong
Check Your Status
If you use RDP in any of your systems, be sure to check out RDPwned. This helpful tool allows users to check if your servers or RDP login credentials have been leaked.
Furthermore, as you can see by the detailed analysis of the leaked logins, the top usernames and passwords are either default or extremely common or simple. Therefore, by changing the username and being sure to create an extremely strong password, by following these rules, you prevent potential brute-forcing of your RDP system. RDP should always run behind a firewall and not externally exposed to the internet. These simple steps greatly increase your chances of staying off of sites such as UAS.
RDP open to the wild is often found during a penetration test. If you run Windows servers with RDP running, it is recommended to have these types of assessments at least once a year at minimum.