xDedic, a platform for selling hacked credentials, serves as an attack starting point

June 15, 2016

Kaspersky Lab has been researching an active cybercriminal trading platform called xDedic lately. The main purpose of the xDedic marketplace is to facilitate the buying and selling of credentials from more than 70,000 hacked servers around the world, all of which are available through Remote Desktop Protocol (RDP). The database also comes with a search engine: It is possible to find almost anything — government and corporate networks, compromised machines in different countries — on xDedic for as little as $8 per server.

 

An easy start for targeted attacks

The xDedic marketplace’s huge volume of servers for sale makes it attractive for targeted attack operators with scant resources, naturally wanting to avoid detection but having problems finding a point of entry into any victim’s network. And $8 is a very low price for getting full access to potential high-profile targets. This one-time cost provides a malicious customer with access to all of the data on the server, as well as other opportunities — for example, exploiting the server as a kind of a bridgehead for further attacks.

Besides the implications for targeted attacks, the marketplace’s data reveal a consistent quantity of servers on sale in very different locations. The tagging system helps opportunistic attackers find new targets easily. The owners of the xdedic[.]biz domain claim they have no relation to the sellers of hacked server access; they just provide a secure trading platform for others.

Servers purchase form

Servers purchase form

 

“Partner” program as a step to APT-as-a-service

The xDedic forum has a separate subdomain (partner[.]xdedic[.]biz) for the site’s “partners.” The so-called partners are essentially the sellers who offer hacked servers in the marketplace. The xDedic owners have developed a tool that can automatically collect information about the system, including websites available, any software installed, and so on. The xDedic team also provides other tools to its partners: a patch for RDP servers to support multiple logins for the same user, proxy installers, and more.

 

xdedic_sellers

Top xDedic sellers. May 2016

The existence of underground cybercrime forums is no news at all. However, it is interesting to observe the primary focus of cybercriminals shifting over the last few years. Nowadays, administrators of forums like xDedic have achieved the high level of specialization. This successful model cannot be easily replicated, but we believe even more specialized marketplaces are likely to appear. Should that happen, targeted-attacks-as-a-service could become a reality.

The detailed report on xDedic group activities is available at Securelist.

Don’t fall a victim to xDedic “partners”

Kaspersky Lab provides different protective measures against xDedic activities. With the help of Kaspersky Security Network, we managed to identify several files that were downloaded from the partners’ portal — the password-protected system-information-gathering tool. We detected these files as malicious and also blacklisted the URLs of control servers for gathering information about the infected systems. The detailed report contains much more information on hosts and network-based compromise indicators for xDedic-related tools and domains.

Criminals invent new ways of penetrating corporate networks every day, and so companies have to be proactive. Kaspersky Security Intelligence Services presents a comprehensive approach to proactive defense and provides different measures of mitigating xDedic-like threats. First, subscription service APT Intelligence Reporting brings regular, quick, and efficient intelligence data about advanced attacks. Our customers were informed in advance about the xDedic campaign, and we provided the necessary data to detect a potential breach in the networks.

Kaspersky Security Intelligence Services also include Penetration Testing as the key solution to find weak points in the security perimeter before cybercriminals do. During such tests, our experts act like attackers to determine potential entry points in the corporate security perimeter and give recommendations on ways to improve security systems.

Another service, Targeted Attack Discovery, helps to answer the question: “Is our IT infrastructure already compromised?” The service enables you to detect cybercriminal and cyberespionage activities in your network, to find the reasons and possible sources of the incidents, and to effectively plan mitigation activities. It also helps you avoid similar attacks in the future. The service includes threat intelligence, tool-aided analysis of the network and system artifacts based on information from Kaspersky Lab’s database of indicators of compromise (IoCs) and collected evidence of incident response teams.

The RDP access used by xDedic “clients” is a legitimate tool often sanctioned by IT personnel, but it sometimes inadvertently increases the risk of an attack. To avoid such misconfiguration, Kaspersky Lab also offers important Security Training services for IT and non-IT workersKaspersky Lab provides different levels of such training suitable for managers, security specialists, and non-IT employees.

All attacks leave traces, no matter how hard criminals try to cover their tracks. In addition to Kaspersky Security Intelligence Services, we provide the specialized Kaspersky Anti Targeted Attack platform, the product of choice when a company wants to identify an ongoing attack as soon as possible. Our solution detects activity that is clearly different from the regular business workflow and alerts the security team. In case of xDedic, the abnormal behavior of compromised machines leased to other cybercriminals is obvious (outbound RDP connections, malicious files on the servers, etc.). We provide the right tools and procedures to identify an attack as soon as possible.