There are many actions a threat actor can take with RDP access (credential harvesting, account takeover, cryptocurrency mining among them) and it's easier for them to launch these threats if they have access to an RDP port. Skilled attackers often find the ports themselves by scanning infrastructure exposed to the Internet and using brute force to access open ports. Automated tools and the Shodan search engine help them find systems configured for RDP access online.
Still, many threat actors of all skill levels buy RDP access on the Dark Web, where the ports are hot commodities, as are tools to delete attackers' activity once their work is done.
Alleged NordVPN Data Breach: Salesforce Database and Source Code Reportedly Exposed
Pentest tools left online are allowing hackers to exploit Fortune 500 firms
TikTok videos now push infostealer malware in ClickFix attacks