Hacked servers from all around the world are up for sale on obscure online marketplaces, and they are quite cheap too, going for as low as $6, Kaspersky Labs researchers warn.
One shady marketplace where one can purchase a hacked server is xDedic, with more than 70,000 items offered for sale, including compromised servers on government networks, corporate servers, web servers, or databases. According to Kaspersky researchers, 416 unique sellers had hacked servers in 173 affected countries listed on this marketplace in May 2016.
The cheap prices will appeal to many malicious buyers: for only $6, one could purchase access to a server located in a European Union country government network. This one-time pay would provide the buyer with “access to all the data on the server and the possibility to use this access to launch further attacks,” researchers explain.
“It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors,” Kaspersky says.
According to researchers, this new type of underground market where hacked servers are being offered for sale has flourished over the last two years, and it is growing still. In March, the number of available servers was of only 51,752, but it grew to 70,624 servers by May, a clear indicator that someone is actively maintaining the database of users and servers.
In a comprehensive report on xDedic (PDF), Kaspersky explains that this obscure marketplace came into being in November 2014, when a single compromised server was offered for sale. For each of the over 70,000 servers currently available there, xDedic provides detailed information: price, location, speed, anti-virus installed, and more.
What researchers also observed was that the developers of xDedic (a Russian-speaking group of hackers) are not selling anything themselves, but that they only offer the environment where a network of affiliates can sell access to compromised servers. Moreover, xDedic maintainers have created a sort of a “quality” service, with live technical support available for the forum. There are “special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database,” researchers say.
The xDedic developers use profiling software designed to collect information about the software installed on the compromised server, such as online gambling, trading and payments. What’s more, Kaspersky researchers discovered that accounting, tax reporting and point-of-sale (PoS) software on these servers are of high interest, as they open up many opportunities for fraudsters.
Of the servers offered for sale on xDedic, 453 (from 67 countries) had PoS software installed, researchers say. This allows a malicious buyer to access the obscure marketplace, register an account, add Bitcoins to it and then purchase servers with PoS software installed, and then install PoS malware to harvest credit card numbers.
When it comes to the affected countries, Brazil appears to be on the front row, with 6,540 or 9% of the hacked servers, followed by China with 5,023 or 7% of them, and Russia, with 4,020 or 6% of them. India and Spain at 5%, Italy and France with 4%, and Australia, South Africa, and Malaysia with 3% round up top 10 most affected countries, Kaspersky reveals. However, they account for only 49% of the compromised servers.
Researchers managed to create a list with the top 10 sellers on xDedic as well, though little is known regarding their identity. What Kaspersky did manage to learn, however, was that one of these sellers, supposedly a top five seller going by the name of Narko, xLeon or sirr, was using a specific piece of malware, dubbed SCCLIENT. The malware’s operators also installed bitcoin-mining software on the compromised server, to use the idle time while waiting for a buyer.
“The vast amount of servers for sale on the xDedic marketplace offers a very likely alternative for APT actors with low resources, willing to fly under the radar or having difficulties in getting a foothold in any of its victims. 8 USD is a very cheap price to pay for full access to potential high profile targets. Usually overlooked, servers that have been hacked using brute-force methods might present an opportunity for APT actors that doesn’t arouse suspicion,” Kaspersky says. “All in all, not only can this successful model be easily replicated, but we expect to see even more specialized marketplaces appear where APT-as-a-service becomes a reality.”
In April, a Dell SecureWorks report on underground hacker markets revealed that cybercriminals are willing to crack accounts on popular email or social media services for only $129. While hacked servers are picking up steam fast, other data is also available on underground markets, including credit card data, online banking accounts, malware, hacking services, and more. Just as revealed in a 2014 report, the market for stolen identities is thriving too.