xDedic has come up to the underground world of cyber criminals, India amongst the most affected countries
A global forum called xDedic has become an underground market place for cyber criminals to buy and sell access to compromised servers for as little as USD 6 each. The cyber criminal trading platform currently has 70,624 hacked Remote Desktop Protocol (RDP) servers for sale, as per Kaspersky Lab researchers.
As per the investigation, the criminal market place is allegedly run by Russian-speaking group, who accepted to provide a trading platform but claim no association with the cyber criminals.
What can they do?
Many of the servers host or provide access to popular consumer websites and services and some have software installed for direct mail, financial accounting and Point-of-Sale (PoS) processing,a s per the investigation.
The purchased ‘product’ can be used to target the owners’ infrastructures or as a launch-pad for wider attacks, while the owners, including government entities, corporations and universities, have little or no idea of what’s happening.
The xDedic forum can access all of a server’s data and also use it as a platform for further malicious attacks. This could potentially include targeted attacks, malware, DDoS, phishing, social-engineering and adware attacks, among others, as per Kaspersky Labs.
The investigations further revealed that the hackers can acquire and further sell access to:
- Servers belonging to government networks, corporations and universities
- Servers tagged for having access to or hosting certain websites and services, including gaming, betting, dating, online shopping, online banking and payment, cell phone networks, ISPs and browsers
- Servers with pre-installed software that could facilitate an attack, including direct mail, financial and PoS software
- All supported by a range of hacking and system information tools
xDedic developers also create a portfolio software which collects information about the software installed on the server, such as online gambling, trading and payments. Apparently, there is strong interest in accounting, tax reporting and point-of -sale (PoS) software which open up many opportunities for fraudsters, as per Securelist.
What do they have?
This cyber criminal marketplace is allegedly doing ‘business’ since 2014 and has grown significantly in popularity since the middle of 2015.
xDedic does not directly sell anything but instead, as per Securelist, provies ‘quality service’ including technical support, special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database. They also use a specific piece of malware called SCCLIENT which is used to sinkhole its Command and Controls, as per Securelist.
As per Kaspersky Labs, till March 2016 the market had 55,000 infected servers which grew up to 70,624 servers across 173 countries available to criminals for sale, posted in the names of 416 different sellers.
How do they work?
As per the investigation by Kaspersky Lab, hackers break into servers, often through brute-force attacks, and bring the credentials to xDedic. The hacked servers are then checked for their RDP configuration, memory, software, browsing history and more – all features that customers can search through before buying. After that,
Who are involved?
UFOSystem and Intro were ranked the top sellers with 30381 sales in the year 2016 alone.
Impact on India
India is amongst the most affected nations and ranks 4th; as many as, 5% of total infected servers put on trade are from India. India has 3488 compromised servers listed on xDedi as of May 2016, says Kaspersky Lab
The top 10 countries affected are:
Brazil, China, Russia, India, Spain, Italy, France, Australia, South Africa and Malaysia.