Underground market selling details of compromised servers in 173 countries

Singapore, China, and Malaysia are among nations where 70,620 Remote Desktop Protocol servers listed on the xDedic marketplace are located, including systems in government and private networks.
Written by Eileen Yu, Senior Contributing Editor

An underground marketplace has been found to be selling information of more than 70,600 compromised servers in both government and private networks, located across 173 countries including Singapore, China, Malaysia, and Australia.

Available for sale from US$6 each, access to these servers was being hawked at a cyber black market called xDedic, which appeared to be operated by a Russian-speaking group, according to Kaspersky Lab. Researchers from the cybersecurity vendor had received a tipoff from a European ISP in March 2016 about the marketplace and both companies jointly investigated the underground operations.

While such black markets were not uncommon, this particular discovery stood out due to its sizeable list, placing xDedic among the biggest global marketplaces of compromised servers operating in the market today, noted Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab's global research and analysis.

Speaking to ZDNet in a phone interview, he said while xDedic appeared to have been operational since 2014, activities at the marketplace began ramping up last year. Based in Singapore, Kamluk was part of the global team investigating xDedic.

As of May 2016, it listed 70,624 compromised Remote Desktop Protocol (RDP) servers for sale from 416 different sellers, though it seemed to act only as a trading platform on which the data could be sold and bought, and had no affiliation to the sellers.

xDedic would collate the information from hackers claiming to have breached the systems. This data then would be verified against a checklist including RDP configuration, memory, software, and browsing history, before they were put up for sale on the marketplace. Potential customers would be able to search through the information before making their purchase.

All purchases would include a variety of hacking and systems information tools.

According to Kaspersky, the compromised RDP servers hosted or provided access to popular consumer websites and services, include games, betting, online retailers, online banking and payment, and cell phone networks. Others contained software to facilitate direct mail, financial accounting as well as point-of-sales (POS) functions.

The systems also belonged to a range of government networks, private companies as well as universities, and potentially could be used to penetrate the organisation's infrastructure or hijacked to launch cyberattacks.

Kamluk explained that some of these servers were not blacklisted by major retailers including Amazon.com, AirBNB, Best Buy, eBay, Apple stores, and Walmart, which meant they would have maintained a good reputation and approved access to such websites.

Established retailers typically were stringent about IP addresses it provided access to, so servers that remained in good stead would be of value to cybercriminals, which could use the systems to buy and sell goods via Amazon.com, for instance.

Singapore among countries hosting compromised servers

Among the 173 countries, the top 10 in which the compromised servers were located were Brazil, China, Russia, India, Spain, Italy, France, Australia, South Africa, and Malaysia. These 10 countries accounted for 49 percent of all RDPs listed, with Brazil the most popular at 9 percent, followed by China at 7 percent. Australia and Malaysia each accounted for 3 percent of the total list.

The remaining 51 percent were grouped under "Others".

Singapore was ranked 29th, with 743 compromised servers listed on xDedic as of May 2016, Kamluk revealed. The first compromised server from the city-state was listed on the marketplace in February 2015, after which more credentials were gradually added to the inventory. In April 2016, for instance, 136 new RDPs were added while another 82 were listed just last month.

Asked if any of the systems were from Singapore government networks, he said it was difficult to determine because not all IP names would indicate the organisation to which the server belonged. He added that most of the names listed were private companies and ISPs.

Across the global inventory, government networks that did identify themselves through their IP addresses included Thailand's Ministry of Public Health.

While it was surprising that the US or other major European markets were not among the top countries in the list, Kamluk theorised that this could be because credentials from these locations would be more popular and taken off the inventory after they were sold to cybercriminals.

On the other hand, the top 10 countries could have more exposed vulnerable servers or had weaker security policies in general, he said, adding that RDP information purchased by cybercriminals potentially could be put back on the marketplace to be resold.

Costin Raiu, Kaspersky Lab's director of global research and analysis team, said in the report: "xDedic is further confirmation that cybercrime-as-a-service is expanding through the addition of commercial ecosystems and trading platforms. Its existence makes it easier than ever for everyone, from low-skilled malicious attackers to nation-state backed APTs to engage in potentially devastating attacks in a way that is cheap, fast, and effective.

"The ultimate victims are not just the consumers or organisations targeted in an attack, but also the unsuspecting owners of the servers [that] are likely to be completely unaware their servers are being hijacked again and again for different attacks," Raiu said.

Kamluk said the Interpol had been notified about xDedic and Kaspersky had begun notifying organisations that had servers listed on the marketplace. The security vendor also was in touch with local Computer Emergency Response Teams (CERT) worldwide as well as some law enforcement agencies, particularly in countries where breaches had identified and reported by affected organisations.


Top sellers on xDedic (May 2016)

Source: Kaspersky Lab
Editorial standards