An underground market peddling hacked servers was a unique find, even for a seasoned researcher such as Juan Andres Guerrero-Saade of Kaspersky Lab.
But there it was, xDedic[.]biz selling access to tens of thousands of servers for pennies on the dollar. A Russian-speaking hacker group was meticulously managing this trading platform and selling for as little as $6 USD access to compromised machines that could be used to launch further attacks.
“This is a fairly unusual market demarcating a new development in the stratified cybercrime ecosystem, where a market rises to fill a specific need in the cybercriminal’s arsenal,”Guerrero-Saade said. “The development makes it cheaper and faster to mount a better resourced attack, by removing the need to acquire or hack servers.”
xDedic was publicly exposed on Wednesday in an extensive report published by Kaspersky Lab. The forum, as Guerrero-Saade explains, connects sellers of hacked servers with buyers, selling as well tools that buyers can use to connect to the owned servers and sustain access.
“For example, one of the tools offered will alter the RDP configuration of the server to allow multiple sessions so that when the server’s legitimate administrator logs in, he or she won’t notice that someone else is simultaneously connected,” Guerrero-Saade said.
Kaspersky Lab researchers, in conjunction with an unnamed European ISP to gather data on xDedic, said the market began some time in 2014. As of May, there were more than 70,000 hacked servers for sale, and those servers were found in 173 countries. Buyers can peruse a list of available servers, each entry providing specific details on system information, whether admin privileges are available, antivirus running on the machine, browsers, uptime information, download and upload speeds, and the price and location.
xDedic markets itself as a medium for bringing affiliates together, taking a percentage of the money involved as its cut.
“However, given that the identities of the sellers are masked by handles, we cannot stay with certainty whether or not the forum operators are compromising any of the servers themselves,” Guerrero-Saade said.
The list of hacked servers spans industries such as banking, to dating and gambling websites, online shopping sites and ad networks. Buyers sometimes search for particular software running on a server, with particular interest shown in mass emailing software for spam campaigns, point-of-sale installations, as well as accounting or tax preparation software. The possibilities for theft and fraud are endless via this forum.
“Despite claims otherwise, it’s hard to claim that the xDedic forum is meant to do anything other than enable criminals,” Guerrero-Saade said. “Just the same as a rogue locksmith selling copies of his clients’ house keys can suggest that these aren’t meant for criminal use, but their sole purpose is to provide third-parties illicit access to the homes of unsuspecting legitimate owners. Assurances to the contrary aren’t particularly compelling.”
Despite the affinity for criminals, advanced nation-state hackers could also find use for the hacked servers offered on xDedic, in particular as staging platforms for further intrusions onto victims’ machines, or as a place to store stolen data, or as a control server from where commands are sent.
“Maintaining these servers can be quite laborious, it sometimes provides hints for researchers as to the identity of the attackers, and is often where operators make telling mistakes,” Guerrero-Saade said. “The ability to acquire these servers from a third-party in charge of providing access lowers the entry and maintenance cost for these and other types of attackers and may also provide cover from being easily identified or related to previous campaigns with accuracy. It can be quite attractive.”
In the end, money trumps all and the fact that xDedic makes these servers available even to criminals with relatively intermediary skills for less than $10 in some cases is a win for the buyer.
“Similarly, this access cannot be guaranteed long-term,” Guerrero-Saade said. “An administrator can change credentials or wipe the server, or simply take the server offline and the customer would arbitrarily lose access. This imposes an ephemeral limitation on the access being purchased.”
The Russian-speaking hackers behind xDedic, meanwhile, are running a well-oiled machine. Along with the 70,000-plus servers available in May, Kaspersky Lab learned there were 416 unique sellers from 173 countries operating on the forum. In March there were 425 sellers operating from 183; the numbers indicate the forum is closely managed.
“We point to the booming growth as an indication of the popularity and adoption of the xDedic forum, as well as the active maintenance of the community both by administrators and the sellers, alike,” Guerrero-Saade said. “The success of this sort of offering suggests that this certainly won’t be the last of its kind.”