Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service that rents access to hacked PCs at organizations that make this all-too-common mistake.

Makost[dot]net is a service advertised on cybercrime forums which sells access to “RDPs”, mainly Microsoft Windows systems that have been configured (poorly) to accept “Remote Desktop Protocol” connections from the Internet. Windows ships with its own RDP interface built-in; to connect to another Windows desktop or server remotely, simply fire up the Remote Desktop Connection utility in Windows, type in the Internet address of the remote system, and enter the correct username and password for a valid user account on that remote system. Once the connection is made, you’ll see the remote computer’s desktop as if you were sitting right in front of it, and have access to all its programs and files.

Makost currently is selling access to more than 6,000 compromised RDP installations worldwide. As we can see from the screen shot above, hacked systems are priced according to a combination of qualities of the server:

city, state, country of host;

administrative or regular user rights;

operating system version;

number and speed of computer processors;

amount of system memory;

network download and upload speeds;

NAT or direct

KrebsOnSecurity was given a glimpse inside the account of a very active user of this service, an individual who has paid more than $2,000 over the past six months to purchase some 425 hacked RDPs. I took the Internet addresses in this customer’s purchase history and ran WHOIS database lookups on them all in a bid to learn more about the victim organizations. As expected, roughly three-quarters of those addresses told me nothing about the victims; the addresses were assigned to residential or commercial Internet service providers.

But the WHOIS records turned up the names of businesses for approximately 25 percent of the addresses I looked up. The largest group of organizations on this list were in the manufacturing (21 victims) and retail services (20) industries. As I sought to categorize the long tail of other victim organizations, I was reminded of the Twelve Days of Christmas carol.

twelve healthcare providers;

ten education providers;

eight government agencies;

seven technology firms;

six insurance companies;

five law firms;

four financial institutions;

three architects;

two real estate firms;

and a forestry company (in a pear tree?)

How did these companies end up for sale on makost[dot]net? That is explained deftly in a report produced earlier this year by Trustwave, a company which frequently gets called in when companies experience a data breach that exposes credit card information. Trustwave looked at all of the breaches it responded to in 2012 and found — just as in years past — “IP remote access remained the most widely used method of infiltration in 2012. Unfortunately for victim organizations, the front door is still open.”

The report continues:

“Organizations that use third-party support typically use remote access applications like Terminal Services (termserv) or Remote Desktop Protocol (RDP), pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote Administrator to access their customers’ systems. If these utilities are left enabled, attackers can access them as though they are legitimate system administrators.”

“Would-be attackers simply scan blocks of Internet addresses looking for hosts that respond to queries on one of these ports. Once they have a focused target list of Internet addresses with open remote administration ports, they can move on to the next part of the attack: The number 2 most-exploited weakness: deafult/weak credentials.”

In case the point wasn’t clear enough yet, I’ve gathered all of the username and password pairs picked by all 430 RDP-enabled systems that were sold to this miscreant. As evidenced by the list below, the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password. In each of the following cases, the username and password are the same.

Some of these credential pairs even give you an idea of the type of organization involved, the employee account that was compromised (“intern,” “techsupport,”); the purpose of the hacked system (“payroll”, “fax,” “scanner,” “timeclock”); even the geographic location of the compromised PC within the organization (e.g., “front desk,” “conference room,” “garage”). Incredibly, some of the systems appear to be named after actual security features or backup devices (“symantec,” “sonicwall,” “sophos”):

owner owner

showroom showroom

operations operations

train train

test test

colin colin

robert robert

install install

besadmin besadmin

tony tony

guest guest

symantec symantec

stacey stacey

stephanie stephanie

jessica jessica

install install

frontdesk frontdesk

sophos sophos

tim tim

lisa lisa

guest guest

guest guest

timeclock timeclock

dale dale

djohnson djohnson

john john

staff staff

student student

cw cw

guest guest

inventory inventory

aspnet aspnet

scanner scanner

tablet1 tablet1

timeclock timeclock

rsmith rsmith

tara tara

gary gary

user user

billing1 billing1

shipping1 shipping1

warehouse warehouse

scott scott

cnc cnc

training training

personnel personnel

template template

training training

faxserver faxserver

nicole nicole

sales sales

jbrown jbrown

driver driver

ksmith ksmith

sys sys

engineering engineering

gking gking

guest guest

kclark kclark

kwebb kwebb

guest1 guest1

robert robert

AdMiNiStRaToR AdMiNiStRaToR

ipad ipad

rae rae

canon canon

shipping shipping

fax fax

remote1 remote1

mission mission

reporter reporter

dispatch dispatch

guard guard

rm rm

marcia marcia

sales sales

makik makik

kbrown kbrown

kbrown kbrown

ray ray

jrobinson jrobinson

shop shop

remote remote

dharris dharris

user user

bkexec bkexec

cmm cmm

toolcrib toolcrib

test test

temp temp

sbrown sbrown

dispatch dispatch

carpet carpet

laura laura

techsupport techsupport

bkexec bkexec

ganderson ganderson

buexec buexec

twadmin twadmin

acs acs

acs acs

bkexec bkexec

testu testu

bookkeeper bookkeeper

rtcservice rtcservice

jcampbell jcampbell

mlee mlee

email email

owner owner

bethb bethb

sisadmin sisadmin

cmartinez cmartinez

beadmin beadmin

mattp mattp

conf conf

prod prod

ws ws

jackie jackie

tempadmin tempadmin

install install

support support

wendy wendy

ricoh ricoh

simmons simmons

agarcia agarcia

jens jens

prod prod

timeclock timeclock

specialist specialist

christine christine

training training

sqlexec sqlexec

production production

testuser testuser

garage garage

sms sms

ldap ldap

sharepoint sharepoint

epicor epicor

epicor epicor

sandy sandy

resource resource

carrie carrie

nancy nancy

remote remote

lisa lisa

sales sales

kristina kristina

facilities facilities

erika erika

seagate seagate

mmills mmills

checkout checkout

susan susan

peter peter

insurance insurance

Administrator Administrator

maureen maureen

mike mike

training training

av av

schedule schedule

brad brad

timeclock timeclock

awilson awilson

spadmin spadmin

cecilia cecilia

renee renee

fax fax

sonny sonny

joey joey

caroot caroot

xray xray

dallen dallen

triage triage

ewilliams ewilliams

djordan djordan

clerk clerk

danny danny

bkupexec bkupexec

bu bu

monroe monroe

mmiller mmiller

seagate seagate

mmurray mmurray

recruiting recruiting

jsmith jsmith

jwilson jwilson

buexec buexec

mikeg mikeg

jking jking

bobc bobc

caroot caroot

kronos kronos

jgreen jgreen

bkupexec bkupexec

lab lab

jaime jaime

davidf davidf

kronos kronos

xray xray

rbrown rbrown

bizhub bizhub

julie julie

bec bec

checkout checkout

tuser tuser

bjohnson bjohnson

jbox jbox

dataentry dataentry

itsupport itsupport

sharepoint sharepoint

pc pc

volunteer volunteer

mail mail

konica konica

mill mill

canon canon

volunteer volunteer

heidi heidi

carla carla

tracy tracy

frontdesk frontdesk

driver driver

operations operations

trainer trainer

accounts accounts

labuser labuser

production production

jsmith jsmith

sup890 sup890

installer installer

help help

intern intern

la la

timeclock timeclock

confrm confrm

assembly assembly

john john

spadmin spadmin

jdoe jdoe

bloomberg bloomberg

resume resume

attach attach

assembly assembly

faxes faxes

faxes faxes

aevans aevans

tjones tjones

dbagent dbagent

Scanner Scanner

frontoffice frontoffice

Billing Billing

Nurse Nurse

MS MS

buexec buexec

xray xray

joan joan

frontdesk frontdesk

bkupexec bkupexec

kjohnson kjohnson

marcia marcia

kbrown kbrown

str str

awilliams awilliams

lsmith lsmith

voicemail voicemail

lsmith lsmith

wilkerson wilkerson

wilkerson wilkerson

wilkerson wilkerson

faxadmin faxadmin

faxadmin faxadmin

faxadmin faxadmin

vismail vismail

aspuser aspuser

jh jh

pmartin pmartin

tammy tammy

melanie melanie

mfg mfg

dwright dwright

sharepoint sharepoint

mobile mobile

forms forms

conference conference

examroom examroom

insurance insurance

confroom confroom

archiver archiver

Production Production

restore restore

Email Email

export export

Payroll Payroll

schulung schulung

tablet tablet

temp temp

cci cci

michele michele

jimm jimm

techsupport techsupport

exadmin exadmin

randerson randerson

ecopy ecopy

triage triage

ecopy ecopy

pool pool

jcampbell jcampbell

labcorp labcorp

jtaylor jtaylor

dmartin dmartin

markd markd

rsvp rsvp

beadmin beadmin

ataylor ataylor

police police

backup backup

template template

presentation presentation

setup setup

jeffm jeffm

spiceworks spiceworks

labcorp labcorp

croom croom

vorlage vorlage

summit summit

exchange exchange

user2 user2

corpconf corpconf

exadmin exadmin

rrobinson rrobinson

tserver tserver

faxes faxes

faxes faxes

cmm cmm

west west

shipping shipping

SYSTRAY SYSTRAY

scanuser scanuser

besadmin besadmin

davidm davidm

labcorp labcorp

cnc cnc

faxes faxes

faxes faxes

assist assist

toshiba toshiba

labcorp labcorp

exadmin exadmin

tadmin tadmin

resumes resumes

resumes resumes

scan1 scan1

shipping shipping

adminsch adminsch

exchangeadmin exchangeadmin

debbie debbie

edi edi

kate kate

exam exam

exam2 exam2

workstation2 workstation2

trainer2 trainer2

scanner scanner

cs cs

books books

katie katie

Chief Chief

ricoh ricoh

konica konica

laurie laurie

classroom classroom

pt pt

mill mill

staff2 staff2

research research

frontdesk frontdesk

dispatch2 dispatch2

pete pete

smiller smiller

Office Office

conference conference

bookkeeper bookkeeper

sales1 sales1

router router

user1 user1

fax fax

exchadmin exchadmin

stacy stacy

oncall oncall

postgres postgres

toolroom toolroom

backups backups

ricoh ricoh

confroom confroom

production production

jake jake

kitchen kitchen

client2 client2

archive archive

ws ws

delia delia

qbdataserviceuser qbdataserviceuser

brac brac

spd spd

sonicwall sonicwall

rec rec

itadmin itadmin

pack pack

volunteer volunteer

mail mail

printer printer

south south

testing testing

testing testing

parts parts

conferenceroom conferenceroom

voicemail voicemail

reports reports

parts parts

voicemail voicemail

shipping shipping

scanner scanner

training training

watchdog watchdog

amanda amanda

user4 user4

student1 student1

lo lo

jackie jackie

scan scan

classroom classroom

client1 client1

client1 client1

If you’ve read this far, I hope it’s clear by now that the easiest way to get your systems hacked using RDP is to pick crappy credentials. Unfortunately, far too many organizations that end up for sale on services like this one are there because they outsourced their tech support to some third-party company that engages in this sort of sloppy security. Fortunately, a quick external port scan of your organization’s Internet address ranges should tell you if any RDP-equipped systems are enabled. Here are a few more tips on locking down RDP installations.

Readers who liked this story may also enjoy this piece — Service Sells Access to Fortune 500 Firms — which examined a similar service for selling hacked RDP systems.

Tags: makost, microsoft, RDP, remote desktop protocol, Trustwave