Criminal Marketplace Offers Cheap Server Access For Global Cyber-Attacks

Cybercriminals can purchase access to compromised servers belonging to legitimate organisations, in order to carry out their cyber-attacks.

The underground marketplace for criminals is called the xDedic marketplace, and it has been likened to eBay for criminals, said Kaspersky Lab researchers. It offers access to 70,624 hacked Remote Desktop Protocol (RDP) servers for a paltry $6 (£4.23).

Who Is Accessing Your Server?

The server access allows the attackers to undertake a number of criminal activities as the hacked servers comes preloaded with software that allows attackers to carry out denial-of-service attacks on other networks, launch spam campaigns, illicitly manufacture bitcoin currency, or compromise online or retail payment systems.

All of these criminal activities are carried out without the server owner actually being aware that their machines are being used in this manner.

“From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything,” said Kaspersky Lab researchers. “And the best thing about it – it’s cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6.”

Kaspersky Lab said that it had been alerted to the underground marketplace by an European ISP.

“The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks,” said  Kaspersky Lab researchers. “It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.”

But how are criminals able to corrupt seemingly innocent third party servers. Well, Kaspersky Lab and the European ISP investigated and it seems that the hackers break into the servers, often through brute-force attacks, and then bring the credentials to xDedic. The compromised server is then checked for their RDP configuration, memory, software, browsing history and more, all features that customers can search through before buying.

Kaspersky Lab said that compromised servers typically belong to government networks, corporations and universities. It has reported this issue with the appropriate law enforcement agencies and is cooperating in an ongoing investigation.

“xDedic is further confirmation that cybercrime-as-a-service is expanding through the addition of commercial ecosystems and trading platforms,” said Costin Raiu, Director, Global Research and Analysis Team, Kaspersky Lab.

“Its existence makes it easier than ever for everyone, from low-skilled malicious attackers to nation-state backed APTs to engage in potentially devastating attacks in a way that is cheap, fast and effective,” he said. “The ultimate victims are not just the consumers or organisations targeted in an attack, but also the unsuspecting owners of the servers: they are likely to be completely unaware that their servers are being hijacked again and again for different attacks, all conducted right under their nose.”

Underground Marketplaces

The existence of underground marketplaces where such services can be purchased are nothing new.

Last year Intel carried out an investigation into the Dark Web, where stolen data and accounts are routinely traded among criminals.

It discovered that these criminal marketplaces had evolved to include almost every conceivable cybercrime product for sale or rent. It found for example, that entire PayPal accounts worth between £250 – £650 were being sold for as little as £15 to £30 on the Dark Web.

Authorities of course are aware of these sites and periodically launch crack downs, but unfortunately the problem persists.

Earlier this month researchers at Trustwave discovered an unpatched Local Privilege Escalation (LPE) vulnerability in Windows was being touted for sale on an underground market for Russian-speaking cyber criminals.

Are you a security pro? Try our quiz!