Logins For 1.3 Million Windows RDP Servers Leaked On Hacker Market

Logins For 1.3 Million Windows RDP Servers Leaked On Hacker Market

Logins and passwords for 1.3 million Windows Remote Desktop servers have been leaked on UAS, a popular and largest marketplace for stolen RDP credentials.

Remote Desktop Protocol (RDP) is widely used to remotely access a Windows computer at home and in a corporate setting, which makes it an attractive target for cybercriminals. There’s a thriving market selling stolen RDP credentials that go for as little as $3 and typically not more than $70.

Using these credentials a threat actor can gain access to a network to perform a variety of malicious activities like infecting other computers on the network, data theft, installing point-of-sale (POS) malware to harvest credit cards, installing backdoors for further access, and deploying ransomware.

RDPs are such lucrative targets that the FBI said RDP is responsible for 70-80% of all network breaches that have lead to ransomware attacks.

UAS or Ultimate Anonymity Services mostly trades Windows Remote Desktop login credentials, stolen Social Security Numbers, and access to SOCKS proxy servers and is the largest such marketplace.

Since December 2018, a group of security researchers has infiltrated the UAS and since then, have been quietly creating a  database of sold RDP credentials, now amassing 1,379,609 RDP accounts.

BleepingComputer researchers who saw the database say that the listed RDP servers belong to government agencies from 63 countries, including the United States as one of the top three.

They saw RDP server credentials for many high-profile companies, including many servers of companies in the healthcare industry. BleepingComputer has also determined that many RDP servers belong to organizations that have suffered ransomware attacks in the past two years which may have happened because of the initial leak on UAS or a similar place.

Having analyzed the 1.3 million accounts in the database, BleepingComputer saw the top five login names were ‘Administrator’, ‘Admin’, ‘User’, ‘test’, and ‘scanner,’ the top five passwords were ‘123456’, ‘123’, ‘P@ssw0rd’, ‘1234’, and ‘Password1,’ and the top five countries were United States, China, Brazil, Germany, India, and the United Kingdom.


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.