New data anonymously shared with Kaspersky Lab researchers may enlarge the scope of and provide additional context to the hacked RDP servers for sale on the now defunct xDedic marketplace.
The underground marketplace was disclosed in a report published last Tuesday describing an eBay-style platform of more than 70,000 hacked servers, some of which could be had for as little as $6 USD.
The marketplace brought sellers and buyers together, and business was apparently brisk before a number of ISPs collaborated in shutting it down. Kaspersky Lab said in its report that there were servers available in 173 countries and that as of May, 416 unique sellers were operating on the platform.
The Russian-speaking group allegedly behind xDedic was facilitating the sale of access to the RDP servers which allows a server to connect and host multiple client sessions involving desktops and applications on the local LAN or remotely.
Once the Kaspersky Lab report was made public, a comment posted to the site from a Lithuanian IP included a number of links to Pastebin sites and 176,000 unique records of IP addresses and dates between November 2014 and February of this year purportedly from xDedic.
Researchers cannot say with 100 percent certainty that the information is valid, but there is some overlap between the available data Kaspersky gathered by sinkholing one part of the full dataset, and more than 71,000 of the IP addresses in the Pastebin pastes that were running over RDP ports. A better indicator as to the possible validity of the new data is in its subnets. Kaspersky found that all but three of the subnets it has from xDedic from before March 2016 were also part of the Pastebin data.
“We checked those and found that they were added on 29th of February 2016,” researchers wrote in an update published today. “We assume that these three IPs (subnets) were added at the end of the day, right after the Pastebin dump ended.”
If the new data is from xDedic, Kaspersky said that the number of compromised servers is much higher and from different regions that originally reported. The majority of the servers, for example, come from the U.S. (60,081) and the United Kingson (8,817), whereas in the original dataset, Brazil and China were the top two countries and accounted for a combined 11,563 servers. Canada and Germany now enter the top 10 as well taking the Pastebin data into account.
“This may make more sense when you consider that the marketplace data concerns only unsold offerings, while the huge Pastebin dataset could reflect a more realistic picture of all compromised servers,” Kaspersky’s report today says. “This suggests that the source of the data is either high-frequency monitoring of the xDedic marketplace (with access to full IP information) or someone had advanced access to the backend (be it a hosting provider or one of the developers).”
The prices for compromised servers are also a bit higher than originally reported. For example, one in Chicago tops the list at $6,000 followed by others in New Bedford, Ma., Bellevue, Wa., Lucedale, Ms., and Stratford, Ok., checking in at $4,000 each. The top 10 priciest servers were from the same seller, a hacker called “Narko”, each at $1,500 or more and all in the U.S.
“A number of questions remain about the integrity and authenticity of the Pastebin data, but whatever its source, it shows that what we found on xDedic represents just the tip of the iceberg in terms of the underground selling and buying of hacked servers,” Kaspersky Lab said in a statement. “Even though many of the IPs listed on Pastebin may now be fully secure, we would urge all system administrators to inspect their servers for any sign of current or past compromise.”