Security News > 2020 > August > How one attack campaign steals and sells RDP credentials
Spotted by security firm Nuspire, one campaign that has resurfaced lately grabs RDP credentials or access and then sells them on underground forums.
Active on several underground forums and communities, TrueFighter specializes in the sale of compromised RDP accounts through which buyers gain remote administrative access to the networks of affected organizations.
Though the healthcare sector is a popular target, TruFighter has sold RDP credentials from other types of organizations, including a US hospital, a large EU hospital, a US water district, a US law firm, a US construction organization, a large US pawnshop, a Japanese medical university, a Brazilian medical organization, and a large company in the UK. Exposed and vulnerable RDP access can easily be discovered through sites such as Shodan.io, a search engine for Internet of Things devices.
Using Shodan.io, Nuspire found more than 4.3 million exposed RDP connections, 30% of which were in the US. Hackers can then use an exploit framework such as FuzzBunch and a backdoor exploit like DoublePulsar to compromise those uncovered RDP connections.
TrueFighter mostly sells regular access to stolen RDP credentials.