Kaspersky Lab discovers underground market selling 70,000 hacked servers
Kaspersky Lab researchers have discovered an underground market of hacked servers, which can sell for as little as $6 per compromised server. What's more, a leading Kaspersky Labs executive says Australians are too relaxed about security.
The marketplace, called xDedic, has been around since 2014 and currently has 70,624 hacked Remote Desktop Protocol (RDP) servers for sale, and it appears to be run by a Russian-speaking group, Kaspersky Labs says.
Kaspersky Labs was alerted to the marketplace's presence by a European internet service provider and they worked together to find out how the marketplace works.
According to Kaspersky Labs, some of the servers host or provide access to popular consumer websites, though none have been named. Some servers also have direct mail, point-of-sale and financial accounting software loaded, which can be used to develop wider attacks. These hacked servers can remain undetected by the owners, who can include government organisations, enterprises and universities.
Kaspersky Labs says xDedic is a well-organized and supported marketplace, which caters to entry-level cybercriminals to experts. The marketplace reportedly offers easy, fast and cheap access to organisational infrastructures that can prolong the anonymity of the attacks.
“xDedic is further confirmation that cybercrime-as-a-service is expanding through the addition of commercial ecosystems and trading platforms. Its existence makes it easier than ever for everyone, from low-skilled malicious attackers to nation-state backed APTs to engage in potentially devastating attacks in a way that is cheap, fast and effective," says Costin Raiu, Director, Global Research and Analysis Team, Kaspersky Lab.
The ultimate victims are not just the consumers or organizations targeted in an attack, but also the unsuspecting owners of the servers: they are likely to be completely unaware that their servers are being hijacked again and again for different attacks, all conducted right under their nose,” Raiu continues.
XDedic listings are acquired through server hacking and then bringing the credentials to the marketplace. The hacked servers are checked and listed in terms of their RDP configuration, memory, software and other functions. The servers are then inventoried according to their type, for example government network servers, specific website servers and services with specific software installed.
The servers can then be used as a phantom for targeted malware, DDoS, phishing, social endineering and adware attacks. Once hackers have finished, they can then put the servers up for sale, renewing the entire process.
Hacked servers for sale are located in many worldwide locations including Brazil, China, India, Spain, Italy, Australia, Malaysia and South Africa.
“Cybercrime is becoming more sophisticated and continue to reach out to the most obscure avenues into our day to day activities. We are too laid back and think cybercrime won't happen to us. People take it for granted until they've been hacked. We must remember that hackers now are more sophisticated on how they choose to attack us. Prevention is better than cure but that can't be done without awareness, education and a follow through,” says Peter Brady, general manager of Kaspersky ANZ.
Kaspersky Lab recommends:
- Using a multilayered security approach to IT using robust security solutions
- Use strong server authentication passwords
- Ensure patch management is continuous
- Conduct regular IT infrastructure security audits
- Consider threat intelligence service investment for information and risk assessment.