xDedic: The Black Market Of Hacked Servers Decoded

by Priyanka Pugaokar    Jun 27, 2016

xDedic Is your server hack proof? The Russian security vendor, Kaspersky has exposed the hacker marketplace that trades compromised servers. The ‘xDedic’ marketplace currently offers access to more than 70,000 compromised servers at very cheap price. The alarming number of hacked servers on xDedic is a clear indication that cybercriminals are stepping up towards cybercrime-as-a-service model. It is a high time for organizations to gear up to tackle organized and sophisticated attack launches of cyber crooks.  


The Rise of xDedic

Came into existence in 2014, xDedic is a marketplace where hackers trade access to compromised servers. xDedic market is allegedly run by a Russian-speaking notorious group whose identity is not yet revealed. The xDedic forum gained popularity in 2016 with a sudden spike in the amount of servers offered from 3,000 compromised servers in mid-2015 to over 70,000 compromised servers in May 2016. Brazil, China, Russia, India and Spain are the top five countries buzzing on the xDedic platform. Out of compromised servers being traded on the platform, more than 6,000 are in Brazil, 5,000 in China, 4000 in Russia. India, which has been on the radar of cyber criminals stands at the fourth spot with 3488 hacked servers. 

The xDedic marketplace offers servers from small hackers to nation-state attackers for a petty amount of $6. Hackers compromise a server, usually through a brute-force attack and then offer it for trade on xDedic. Before being listed on the site, the server checks for its configuration, memory, software, browsing history and more – all features that customers can search through before buying. Details of pre-installed software or website hosting are of particular interest and these servers are tagged accordingly. The owners of the forum provide a range of proxy installer and system-information gathering tools to help buyers choose the right server for them.

It offers buyers access to servers belonging to government networks, corporations and universities. It also provides access to servers that have access to or host certain websites and services, including gaming, betting, dating, online shopping, online banking and payment, cell phone networks, ISPs and browsers. Buyers can also buy servers with pre-installed software that could facilitate attacks like denial-of-service attacks or spam blast. Buyers can use the servers to siphon credit and debit card numbers, and confidential data stored on the systems. 

Also Read: Kaspersky Lab Exposes Black Market Selling Hacked Servers

Gravity of Risk

The xDedic marketplace also provides tools to patch Remote Desktop Protocol servers (RDP) to support multiple user logins. Anyone can register on xDedic with a condition of activating the account within 72 hours of registration. To get a permanent account on the forum users are requested to deposit a $10 USD fee. 

Sellers are generally listed on the site as “partners” and have access to a password-protected portal. The Kaspersky Lab and European ISP investigation identified around 416 unique sellers on xDedic who are offering more than 16,000 servers for rent. UFOSysem, Intro, Narko, xLeon, sir, selez, MisterRDP, Athlon RDP_seller and xSeller are some of the top sellers on xDedic market place. However, very little information is known about buyers of these hacked servers.

Cybercriminals not only passively sell access to compromised servers, but also offers custom tools to buyers to help them hijack servers. They offer tools like SysScan that automatically collects information about compromised systems such as memory, software, etc. In addition to the SysScan tool, xDedic also provide hackers a tool to reconfigure the servers they compromise to help hide their presence on the systems and prevent the real system administrators from blocking them.

Servers with accounting and gambling software, or point-of-sale software are more expensive on the xDedic platform. According to Kaspersky’s investigation around 450 of the compromised servers have point-of-sale software installed on them.

India Top Target 

According to Kaspersky, in India 3488 servers have been compromised, which included companies across verticals. The organizations which have fallen victim to cyber crooks include government entities, corporations, companies hosting popular consumer websites and services and educational institutes. However, the investigation has not revealed the names these organizations. Surprisingly, these institutes are completely unaware that their servers have been hacked and are being used to launch cyber attacks. 

Kaspersky has approached the Computer Emergency Response Team-India (CERT-In) to take appropriate steps on this serious threat. Apart from that, the Russian security solution provider is offering different protective measures against xDedic activities. “We informed CERT-In about the compromised servers immediately. After sharing the information with CERT-In, we are confident that they will take it to its logical conclusion”, said Altaf Halde, Managing Director - South Asia, Kaspersky Lab, adding, “We have taken multiple steps to spread awareness about xDedic marketplace. We conducted an executive threat alert webinar on this topic recently. We continue to spread this message via blogs and press briefings and hopefully it will create awareness for everyone”, Halde said. 

The existence of underground cybercrime forums is not new in the security landscape. Cybercriminals are bringing a high level of specialization in their business models like xDedic. Now it is feared that more specialized marketplaces would appear in the near future and cybercrime-as-a-service could soon become a reality. Kaspersky’s revelation about xDedix marketplace is an eye opener for organizations in India which are still reluctant to consider security as their top most priority.