Black market for hacked servers uncovered
A GLOBAL cybersecurity firm has uncovered a massive underground market selling over 70,000 hacked servers from 173 countries, including the Philippines.
According to Kaspersky Lab, this cybercrime marketplace called xDedic sells hacked and compromised Remote Desktop Protocol (RDP) servers of government networks, corporations, and universities for only $6 each.
This meant that for this marginal amount, members of the xDedic forum can access all the data of a server and use this as platform for further malicious attacks.
This could potentially include targeted attacks, malware, phishing, social-engineering, among others.
The top 10 affected countries are Brazil, China, Russia, India, Spain, Italy, France, Australia, South Africa and Malaysia, while the Philippines was reportedly among the top 50 countries with hacked servers listed in xDedic.
Kaspersky, however, did not provide details on the extent of xDedic’s reach—whether across government agencies or corporations—in the country.
“xDedic is further confirmation that cybercrime-as-a-service is expanding through the addition of commercial ecosystems and trading platforms. Its existence makes it easier than ever for everyone, from low-skilled malicious attackers to nation-state backed APTs (advanced package tool) to engage in potentially devastating attacks in a way that is cheap, fast and effective,” said Costin Raiu, director for Global Research and Analysis Team at Kaspersky Lab.
“The ultimate victims are not just the consumers or organizations targeted in an attack, but also the unsuspecting owners of the servers. They are likely to be completely unaware that their servers are being hijacked again and again for different attacks, all conducted right under their nose,” Raiu said.
Kaspersky Lab explained that the xDedic marketplace was estimated to have opened for business in 2014, and has grown significantly in popularity since the middle of 2015.
As of end-May this year, the marketplace listed as for sale 70,624 servers from 173 countries, posted in the names of 416 different sellers.
This development poses significant security threats because many of the servers host or provide access to popular consumer websites and services and some have software installed for direct mail, financial accounting and Point-of-Sale (PoS) processing.
Access to these can be used to target the owners’ infrastructure or as a launchpad for wider attacks, while the owners, including government entities, corporations and universities, have little or no idea of what’s happening.
A European internet service provider (ISP) was said to have alerted Kaspersky Lab of the existence of xDedic.
The process was reportedly simple and thorough: hackers break into servers, often through brute-force attacks, and bring the credentials to xDedic.
The hacked servers are then checked for their configuration, memory, software, browsing history and more—all features that customers can search through before buying.
After that, they are added to a growing online inventory that includes access to key servers belonging to government networks, corporations and universities and which were tagged for having access to or hosting certain websites and services, including gaming, betting, dating, online shopping, online banking and payment, cell phone networks, ISPs and browsers.
