Airport Security System Access Available for Just $10 on the Darknet

Researchers from McAfee have conducted a study on the range of so-called “RDP shops” in the darknet. These platforms sell access to various compromised systems, with anywhere from 15 to 40,000 different offers available on different marketplaces. The largest of these marketplaces include Ultimate Anonymity Service (UAS Shop), Blackpass, Flyded, and xDedic.

Comparing the Size of RDP Shops

In the UAS Shop, researchers discovered that access to the security systems of a major international airport in the United States could be purchased for just $10 (no, the cybercriminals didn’t forget to add a couple of zeros).

This particular “lot” naturally caught the attention of the specialists. Instead of buying the credentials from the criminals, the experts used Shodan to find the compromised Windows Server machine mentioned in the listing. The researchers note that attackers typically act in a similar way: they scan networks for systems open to RDP connections and then use brute-force tools like Hydra, NLBrute, or RDP Forcer to guess login credentials. Once they successfully obtain a username and password, they put them up for sale.

Upon reaching the Windows RDP login page, the specialists found two more accounts associated with two companies specializing in airport security. One company focuses on building automation and security, while the other specializes in video surveillance and related analytics.

The researchers state that they did not fully investigate the depth of access these accounts provided, but they note that compromising such systems could serve as an excellent foundation for attackers to continue their intrusion, using tools like Mimikatz to move further into the network.

Moreover, by examining other accounts, the experts discovered a domain likely linked to the airport’s automated transportation system—a passenger transport system that connects the terminals.