The Nuspire Security Intelligence and Analytics (SIA) team observed renewed activity from TrueFighter, a malicious actor targeting remote desktop protocol (RDP) accounts. TrueFighter first emerged on October 19, 2014; the attacker has a history of financially motivated attacks, breaking into networks and selling the access credentials for profit.
In the past week, we saw a spike in activity with the group selling RDP accounts through multiple underground communities and forums. As part of this campaign, the attacker is targeting organizations primarily in – but not limited to – the healthcare industry. The range of industries varies as TrueFighter sells information for unspecified organizations, opting to define the source by industry (e.g. U.S. medical center network or U.S. water district).
Below is our analysis of this ongoing TrueFighter campaign, more details on this attacker and how organizations can protect themselves from this attack.
TrueFighter is a malicious actor. It is unknown if it is a single entity or a group, but through our analysis, it appears to be a single actor. TrueFighter has been around for years; the first identification of TrueFighter dates back to Oct 19, 2014.
TrueFighter is a member of multiple underground communities and forums. They frequently sell access to compromised networks and appear to be financially motivated.
The majority of TrueFighter sales on these forums are compromised RDP accounts. Anyone who buys these accounts would obtain remote administrative access to the compromised organization. Most of the known targets are in the healthcare industry.
TrueFighter has a very diverse group of targets. Although the group primarily appears to attack the healthcare industry, sales denote a broader set of unspecified organizations. They’ve previously offered RDP accounts for access to a U.S. water district, U.S. law firm, U.S. construction organization, Japanese medical university, U.S. hospital, a “large E.U. hospital”, a Brazilian medical organization, a “Large company” in the U.K., and a “large U.S. pawnshop”.
This intel highlights the risk around RDP access as a prime target for attackers. Exposed RDP access can easily be found by using search sites, like Shodan.io, which attackers can use to attempt to exploit the connection leveraging known vulnerabilities.
The exploitation framework FuzzBunch can use an exploit like DoublePulsar to attack those RDP connections. To prevent this, administrators can restrict access to RDP connections to trusted sources, audit connectivity logs for unknown connections and implement 2FA for RDP logins.
Most of the attacks so far compromised RDP accounts; however, in some cases TrueFighter also offered the ability to escalate the accounts to domain admin access for an additional fee.
RDP connections are easy to seek out. They can easily be searched via Shodan.io and similar tools. We did a quick Shodan.io search and found 4,317,424 exposed RDP connections, from which 30% (1,287,950) were U.S. based. RDP is also known to have multiple vulnerabilities over time and unpatched systems are especially attractive targets to attackers.
It is possible that TrueFighter gains access, then due to the risk or possible additional skill levels needed to continue attacking, sells the connection to others who are more interested in the target. As with any intrusion, the longer the attacker is in the network the more likely they will be identified and, thus, lose the connection. Instead, TrueFighter likely opts to break into these accounts quietly, then sells the credentials to interested parties and washing their hands of it to make money quickly.
There are several steps administrators can take to protect their organization from TrueFighter:
In addition, staying apprised of the latest intelligence enables administrators to stay a step ahead of threat actors.
Stay up-to-date on the latest threats. Sign up today to receive our prompt security alerts.