Digital security is something that’s on the mind of every company that owns any device more modern than a typewrite these days, and for good reason. A breach of information can be catastrophic for customers and for a business’s reputation, and it’s hard to think of a more appealing target than an airport. Not only do some handle hundreds of flights per day, but also the personal information of hundreds of thousands of passengers.
A new report from McAfee presents troubling research on the prevalence of remote desktop protocol (RDP) attacks, which offer anyone with a Tor connection and a Bitcoin wallet credentials to remotely connect to a system. The research highlights compromised internal systems of an unnamed airport, but the overall message is that remote logins for millions of machines are now a commodity — and a cheap one at that.
The headline scary thing is that McAfee’s researchers found logins for sale for just $10 that granted access to an airport’s building security (say, door locks) and video surveillance tools, as well as something related to the inter-terminal transit system. The implications are obviously terrifying — there’s no point in access badges if some guy with a remote desktop session can just unlock the doors — but what’s worse is how hackers are able to sell the exploits in the first place.
“Attackers simply scan the Internet for systems that accept RDP connections and launch a brute-force attack with popular tools such as, Hydra, NLBrute or RDP Forcer to gain access,” the report says “These tools combine password dictionaries with the vast number of credentials stolen in recent large data breaches.”
Once they have logins, attackers are able to monetize the system in a variety of ways. Even if the machines don’t have any valuable data on them, hackers can harness hundreds of thousands of vulnerable systems into a “botnet” that can be used to send spam, mine cryptocurrency, or conduct distributed denial of service attacks against specific targets to take websites or services offline.
Dumb compromised machines are their own currency on the worse parts of the internet, and according to this report, the trade is bustling:
The McAfee Advanced Threat Research team looked at several RDP shops, ranging in size from 15 to more than 40,000 RDP connections for sale at Ultimate Anonymity Service (UAS), a Russian business and the largest active shop we researched. We also looked at smaller shops found through forum searches and chats. During the course of our research we noticed that the size of the bigger shops varies from day to day with about 10%.
Of course, some systems might contain user data, such as credit card info or medical data. Unfortunately, as the researchers point out, the kind of “thin” systems that are often deployed for point-of-sale systems or kiosks are also often the most infrequently updated and most vulnerable to RDP attacks, essentially due to the law of probabilities (with so many machines, some will be vulnerable) and laziness.
Ultimately, all’s well that ends well: In this instance, McAfee notified the airport in question, who patched the vulnerabilities and presumably gave their software vendors a stern talking to. But with the volume of compromised systems being sold, it’s a question of when and not if another juicy target becomes available for sale.