Criminals and advanced attackers for two years have had at their disposal an extensive trading platform selling access to hacked servers worldwide.
For as little as $6 USD, attackers can purchase access to a compromised machine and launch attacks or get a one-time peek at all the data on a server.
Researchers at Kaspersky Lab today published their investigation into the xDedic forum where 70,000 hacked servers are available via a polished, well-managed platform run by a Russian-speaking hacking group.
“The forum provides members with tools to patch RDP (Remote Desktop Protocol) servers to support multiple user logins, as well as other hacking tools, such as proxy installers and sysinfo collectors,” Kaspersky Lab researchers wrote in their report. “The main goal of the xDedic forum is to facilitate the buying and selling of credentials for hacked servers which are available through RDP.”
The researchers, who worked with an unnamed European ISP in gathering data on xDedic, trace the market back as far as 2014. It steadily grew to where in May there were 70,624 servers for sale, available from 173 countries. Researchers said there were 416 unique sellers trading in May on xDedic, down from 425 in March, when there were more than 51,000 servers available from 183 countries. This shows the forum is closely managed.
Once someone registers to use the forum at xdedic[.]biz, they can use a dashboard to see a list of available servers. For each available hacked server, the forum lists system information, whether admin privileges are available, antivirus running on the machine, browsers, uptime information, download and upload speeds, and the price and location. In May, 32 percent of the hacked servers were in Brazil, China, Russia, India and Spain.
Access via RDP servers gives purchasers remote access to compromised systems and the ability to pull off any number of attacks against available servers in financial services organizations, gambling, online shopping, and dating websites, ad networks and more. In some cases, purchasers are looking for servers hosting specific software types such as accounting, tax reporting and point of sale software, in addition to mass emailing software used for spam. Point of sale software was particularly popular, Kaspersky Lab researchers noted, with 453 servers from 67 countries available.
Affiliates, or partners, have their own portal and tools available to them, the researchers discovered. One of note was a validator tool called SysScan which partners use to profile servers that will be sold in the main forum, researchers said, adding that it primarily reports system information to a command and control server as well as download and upload speeds, as well as any software installed on the system.
On one machine where SysScan was found, researchers said they found tools (DUBrute and XPC) used to brute-force servers in order to gain access. Once a server is compromised, a custom piece of malware called SCCLIENT is installed which connects to one of eight command and control servers. Kaspersky Lab said it was able to sinkhole five of the C&C servers and in 12 hours, 3,600 unique IP addresses connected to them, including government agencies and universities.
Another tool found on compromised machines opens certain ports on the servers, turning them into unauthenticated SOCKS or HTTPS proxies. Researchers said xDedic also built its own RDP client for Windows, which it said customers use to copy login information into a RDP connection.
Kaspersky speculates in its report that the variety and price of available servers could be of service not only to criminals but ATP gangs.
“The vast amount of servers for sale on the xDedic marketplace offers a very likely alternative for APT actors with low resources, willing to fly under the radar or having difficulties in getting a foothold in any of its victims,” the report says. “8 USD is a very cheap price to pay for full access to potential high profile targets. Usually overlooked, servers that have been hacked using brute-force methods might present an opportunity for APT actors that doesn’t arouse suspicion.”