One of the most notable changes in cybercrime since the beginning of the 21st century has been the maturation of the illegal industry from individual hackers to full-on profitable businesses. E-Root, a global illegal marketplace, was taken down by law enforcement in 2020 but recently made the news as its admin faces 20 years in prison for selling stolen Remote Desktop Protocol (RDP) and Secure Shell (SSH) accounts.
E-Root specialized in facilitating the sale of various digital goods, including stolen credentials and access to compromised servers. Buyers were given filtered search tools to navigate the marketplace, with criteria such as ISP, operating system, RDP or SSH access and more. The cybercriminal organization operated across a widely distributed network to enhance resilience and evasion, incorporating protections to mask the real identities of vendors, buyers and administrators.
This incident serves as a stark reminder of the importance of securing privileged access to prevent data breaches, as cyber threats continue to evolve and increase.
Remote Desktop Protocol
RDP is a network communication protocol that allows users to remotely connect to an organization’s on-premises computers through the Windows operating system. It is also commonly used by IT teams to perform server maintenance and other tasks remotely.
RDP operates like an infrastructure secret that humans use– usually IT admins and DevOps personnel – although sometimes regular end users use RDP to access files remotely.
While RDP is a valuable tool for remote administration, it becomes a significant security risk if exploited by cybercriminals. For years, compromised RDP passwords have been the most common vector for ransomware infections.
Ransomware attacks aren’t the only bad thing that can happen if an RDP password is compromised. Once a threat actor breaches RDP, they can use software tools and command-line scripting to find and steal more credentials, snake their way through the organization’s network and access their files. They can steal those files, delete them, modify them or do whatever they want.
SSH is a cryptographic network protocol used for secure data communication, remote command-line login and other secure network services between two networked computers. SSH keys and other connection credentials are vital resources for DevOps and DevSecOps teams, widely used for secure access to servers.
Using SSH keys and other credentials in a secure way is challenging. Transporting keys across a network or between users introduces risk.
As a result, compromised SSH accounts can be exploited to gain unauthorized control over an organization’s servers and sensitive data.
If the only way to steal RDP and SSH accounts is through insecure remote connections, is there an effective way to prevent this?
Adopting Measures To Protect RDP and SSH Accounts From Ending Up on the Dark Web
Organizations heavily rely on RDP and SSH for seamless operation, making them prime targets for cybercriminals. Stolen accounts often end up on dark web marketplaces like E-Root.
While the takedown of E-Root was a positive development, many other illicit marketplaces persist, underscoring the ongoing threat. To protect SSH and RDP credentials from theft and misuse, organizations should take the following proactive steps:
Secure Privileged Accounts: Implement robust measures for defining, managing and securing accounts with elevated access to IT systems. This involves the storage of passwords and secrets in a secure vault, along with role-based access controls to restrict sensitive credentials to only the individuals who absolutely need to access them.
Enforce the Principle of Least Privilege: Limit access rights for users, applications and systems by granting only the minimum levels of access necessary for employees to perform their required tasks. With least privilege, organizations can mitigate the risk of unauthorized access and potential misuse.
Rotate Credentials: Regularly rotate credentials to reduce the security threats associated with employee terminations, breaches, dark web exposure and more. This practice enhances security by minimizing the window of opportunity for malicious actors to exploit compromised credentials.
Manage Privileged Sessions: Ensure that critical infrastructure is accessed through privileged account session management. All sessions should be secure, and credentials must remain concealed from end users to prevent unauthorized access.
Keeper® Is the Best Option To Protect RDP and SSH Accounts
Keeper Security’s Privileged Access Management (PAM) solution is a next-gen platform for preventing unauthorized access to critical systems and data. KeeperPAM™ protects all of your RDP and SSH accounts, digital certificates and other sensitive connection tokens. Keeper’s zero-trust and zero-knowledge architecture means that your secrets, credentials and remote connections are only accessible to authorized individuals.
Keeper Secrets Manager (KSM) allows DevOps and DevSecOps teams to create dynamic programmatic access to their secrets and credentials within their systems, without the need to procure and install new hardware or agent software. KSM operates in the cloud with pre-configured connections for the top-tier tools in the industry. This facilitates a seamless integration of KSM into an organization’s current technology stack, eliminating the need for extra appliances while deploying Keeper’s zero-knowledge, zero-trust architecture for the highest level of security.
Keeper Connection Manager (KCM) provides IT and DevOps personnel with simple and secure access to RDP, SSH, databases and Kubernetes endpoints, with no VPN required. With KCM, there are no agents – your web browser is the client and there’s no impact on your domain controllers or other services. Users can only access connections that their admin has explicitly granted them with granular access controls.
Keeper Enterprise Password Manager (EPM) provides IT teams with total visibility and control over their users’ password habits. Each user is provisioned with a secure digital vault to store and share credentials, passkeys, sensitive files and more. Keeper also integrates with SSO and passwordless providers for an end-to-end passwordless authentication experience.
Request a demo of Keeper today to protect your organization.