Researchers at McAfee’s Advanced Threat Research team have discovered that credentials for systems a major international airport are being sold on the dark web for just $10. Airport admins verified the authenticity of the credentials, which would have allowed control of “systems linked to security and building automation systems,” and resolved the issue after being informed by McAfee. Researchers withheld name of the airport for confidentiality reasons.
The stolen credentials were for airport’s remote desktop protocol (RDP), which allows employees to work through specific computers from outside the local network. RDP credentials are the perfect opening for cybercriminals, which has led to thriving dark web markets where stolen credentials are bought and sold. For years, malware strains like the SamSam ransomware have used RDP credentials to compromise systems and spread.
It’s still unclear how the airport’s credentials were obtained, although McAfee researchers suspect the attackers used brute force, simply guessing random passwords en masse until a login was successful. Brute force attacks on RDP login portals are common, often aided by easily available tools. RDP administrators have been slow to adopt techniques like two-factor authentication and rate-limiting, which could prevent attacks like this one.
The airport wasn’t the only sensitive site with an RDP problem. “We also came across multiple government systems being sold worldwide,” McAfee’s post reads, “[including] dozens of connections linked to health care institutions, from hospitals and nursing homes to suppliers of medical equipment.”