Image: iStockphoto/stevanovicigor

With so many people still working from home, organizations and employees are more dependent than ever on remote access to internal PCs and networks. That means more users who need to tap into Remote Desktop Protocol (RDP) accounts, making those accounts more ubiquitous and more vulnerable.

Spotted by security firm Nuspire, one campaign that has resurfaced lately grabs RDP credentials or access and then sells them on underground forums. In a blog post published Monday, Nuspire describes how this campaign operates.

SEE: How to work from home: IT pro’s guidebook to telecommuting and remote work (TechRepublic Premium)

An attacker dubbed TrueFighter has a history of hacking into networks, stealing RDP credentials, and then selling them for profit on the Dark Web. This attacker can target any type of organization but primarily focuses on those in the healthcare industry. First seen in October 2014, the campaign has recently triggered a spike in activity, according to Nuspire.

TrueFighter may be a single entity or an entire group, but Nuspire’s research suggests that it’s a single actor. Active on several underground forums and communities, TrueFighter specializes in the sale of compromised RDP accounts through which buyers gain remote administrative access to the networks of affected organizations.

Though the healthcare sector is a popular target, TruFighter has sold RDP credentials from other types of organizations, including a US hospital, a large EU hospital, a US water district, a US law firm, a US construction organization, a large US pawnshop, a Japanese medical university, a Brazilian medical organization, and a large company in the UK.

Exposed and vulnerable RDP access can easily be discovered through sites such as, a search engine for Internet of Things (IoT) devices. Using, Nuspire found more than 4.3 million exposed RDP connections, 30% of which were in the US. Hackers can then use an exploit framework such as FuzzBunch and a backdoor exploit like DoublePulsar to compromise those uncovered RDP connections.

TrueFighter mostly sells regular access to stolen RDP credentials. But in some cases it has offered the ability to escalate these accounts to domain admin access, for an additional fee, of course. In other cases, TrueFighter may simply break into a network and then sell the actual connection to other criminals. That tactic helps ensure that the attacker doesn’t spend too much time on the network where it could be detected, thereby losing access.

To help your organization protect itself against RDP credential attacks, Nuspire offers the following tips:

  1. Restrict access to RDP connections to trusted sources.
  2. Audit connectivity logs for unknown connections.
  3. Implement two-factor authentication for RDP logins.
  4. Audit administrative accounts regularly to ensure that unexpected accounts haven’t had their permissions escalated into admin accounts.