In a blog post, McAfee's John Fokker wrote that the company's Advance Threat Research team found the credentials linked to the security and building automation systems of the airport on hacker marketplaces on the dark web.
RDP allows one Windows user to access another Windows computer through a graphical interface and is used for remote administration by sysadmins. But, as Fokker pointed out, "The recent SamSam ransomware attacks on several American institutions demonstrate how RDP access serves as an entry point."
He said the team had looked at several RDP shops - from small ones which were selling 15 connections to much bigger outlets that selling more than 40,000 RDP connections.
"The goal of our research was not to create a definitive list of RDP shops; rather, we sought a better understanding of the general modus operandi, products offered, and potential victims."
RDP access for systems ranging from Windows XP to Windows 10 were advertised on these shops. Windows 2008 and Windows 2012 Server were the most abundant, with about 11,000 and 6500 systems respectively.
The prices ranged from US$3 for a simple configuration to US$19 for a high-bandwidth system that offered access with administrator rights.
Apart from RDP access, other services were advertised as well, depending on the shop.
"In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops," Fokker wrote.
"The second-largest RDP shop we researched, BlackPass, offered the widest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts."
Screenshots: courtesy McAfee