Online Marketplace Selling Hacked Server Credentials Taken Offline by Authorities
xDedic, an online marketplace for buying and selling hacked server credentials, is no longer accessible to users after authorities took it offline as part of the coordinated multi-country law enforcement action.
Users who try to access the xDedic website are referred to a U.S. government site explaining that the online marketplace was taken offline. On January 24, this year, the U.S. Federal Bureau of Investigation (FBI) in pursuant to a seizure warrant issued by the U.S District Court for the Middle District of Florida seized the servers and domain names of xDedic.
The seizure was made possible with the assistance of the authorities in Europe, including the Federal Prosecutor’s Office and the Investigating Judge of Belgium, the Ukrainian National Cyber Police and Prosecutor General’s office of Ukraine, the Bundeskriminalamt of Germany and the European Union Agency for Law Enforcement Cooperation (Europol). Authorities also conducted house searches in 9 places in Ukraine and 3 Ukrainian suspects were questioned.
Prior to the seizure, users of xDedic could search hacked server credentials by criteria, such operating system and geographic location. Buyers and sellers on xDedic traded hacked server credentials for amounts ranging from USD 6 to more than USD 10,000 each. According to Europol, it’s believed that the online platform facilitated more than $68,000,000 in fraud, with victims coming from different sectors, including local, state, and federal government, hospitals, emergency services, major metropolitan transit authorities, accounting and law firms, pension funds and universities.
In a report that dates back in 2016, Kaspersky Labsaid xDedic started its online marketplace operation in 2014 and gained major popularity in the mid-2015 when more 3,000 hacked server credentials were added into the marketplace. By May 2016, Kaspersky Lab said 70,624 hacked server credentials in 173 countries were added into the marketplace.
How Attackers Gained Access to Hacked Servers?
Sellers on xDedic gained access to hacked servers by exploiting the vulnerabilities in Remote Desktop Protocol (RDP) – a proprietary protocol developed by Microsoft that allows an individual to control a server anywhere in the world over the internet. Attackers gained access to hacked servers via RDP through the following:
1. Brute Force Attack
Brute force attack refers to the process of attempting various username and password combinations again and again until the right combination is cracked.
Brute force attack is specifically effective when weak passwords – those that contain dictionary words with no mixture of numbers, uppercase/lowercase letters and special characters – are used. This form of attack only happens when unlimited login attempts is allowed and when 2-factor authentication isn’t used.
2. Flawed CredSSP
Outdated RDP versions still use CredSSP, a flawed encryption mechanism that enables a potential man-in-the-middle attack – a form of a cyberattack that allows an attacker to position himself between two parties, a user and an application, by impersonating one of the parties, making it appear as though a normal exchange of information is conducted. Up-to-date RDP versions already fixed this flawed CredSSP.
3. Unrestricted Access to Default RDP Port (TCP 3389)
Windows servers are remotely accessed via TCP 3389, the default RDP port. Failure to change this default RDP port could be used by attackers as an entry point to compromise organizations’ servers.
Hacked Server Threats
Once attackers get inside your organization’s server via a vulnerable RDP through brute force, flawed CredSSP or unrestricted access to default RDP port, they could install a malicious software (malware) inside the server. Here are some of the malware that were installed by attackers in the past via vulnerable RDP:
Bitcoin Mining Software
Mining cryptocurrency like Bitcoin on one’s server is legal. In cryptocurrency mining, the owner of the computer used for cryptocurrency mining is compensated. Attackers have known to install Bitcoin mining software on servers hacked via RDP, without the knowledge of the server owners, pocketing then the Bitcoins earned from the cryptocurrency mining.
CryptON, also known as Nemesis or X3M, is a type of malware that targets servers running Windows operating system. This malware is distributed and executed manually via RDP brute force attacks, that is, attempting to guess various username and password combinations again and again until the right combination is cracked.
This malware then encrypts all files on the infected server, except the C:\Windows, C:\Program Files and the user profile folder to avoid impacting critical system processes. In encrypting the said files, legitimate users are denied access to the infected server until a ransom is paid. Attackers typically ask victims to pay ransom in the form of Bitcoin.
Samsam is another ransomware that targets servers running Windows OS and is distributed and executed manually via RDP through brute force attack. According to the FBI, in July 2018, Samsam attackers used a brute force attack on RDP login credentials to infect the server of a healthcare company. As a result of the initial infection on the company’s server, the FBI said Samsam ransomware was able to encrypt thousands of computers connected to the server before detection.
Cybersecurity Best Practices
Here are some of the cybersecurity best practices in order to protect your organization’s server from RDP attacks:
Brute Force Attack Protection
Protect your organization’s server from RDP brute force attacks by using strong username and password combination. A strong username and password combination typically don’t use dictionary words and use a mixture of special characters, numbers and uppercase/lowercase letters.
Disallowing unlimited login attempts and the use of 2-factor authentication are ideal in preventing RDP brute force attacks.
RDP Port Protection
Changing the default RDP port helps in securing your organization’s server. In addition, a server with an open RDP port should have a firewall and users should be required to use a Virtual Private Network (VPN) to access it through the firewall.
Keep All Software Up-to-Date
One of the best practices in protecting your organization’s server from RDP attacks is by keeping all your organization’s software up-to-date. For instance, man-in-the-middle attacks as a result of Flawed CredSSP can be prevented by using updated RDP versions.
At GenX, we help organizations to proactively support their IT while ensuring data protection and security. Contact ustoday to schedule a consultation and protect your data against common threats.