Biz & IT —

For sale: 70k hacked government and corporate servers—for as little as $6 apiece

Newly revealed bazaar is a hacker's dream and makes attacks cheaper and faster.

For sale: 70k hacked government and corporate servers—for as little as $6 apiece

Underscoring the flourishing world of for-profit hacking, researchers have uncovered a thriving marketplace that sells access to more than 70,000 previously compromised servers, in some cases for as little as $6 apiece.

As of last month, the xDedic trading platform catalogued 70,624 servers, many belonging to government agencies or corporations from 173 countries, according to a report published Wednesday by researchers from antivirus provider Kaspersky Lab. That number was up from 55,000 servers in March, a sign that the marketplace operators carefully maintain and update the listed inventory.

"From government networks to corporations, from Web servers to databases, xDedic provides a marketplace for buyers to find anything," Kaspersky researchers wrote in a separate blog post. "And the best thing about it—it's cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6." The post continued:

"The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker's dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors."

Kaspersky Lab

Interest is especially high among profit-motivated hackers looking for opportunities to carry out crimes involving accounting, tax returns, and credit cards. For instance, xDedic makes it easy for users to purchase access to servers that have credit card-processing point-of-sale software installed. The users can then install malware that harvests card data funneled through the compromised servers. Included in the fee are software tools that make the compromised servers update Microsoft's remote desktop protocol so it can accommodate multiple user logins. Other tools provided include proxy installers and system information collectors.

"The main goal of the xDedic forum is to facilitate the buying and selling of credentials for hacked servers which are available through RDP," Kaspersky researchers wrote.

Kaspersky Lab

The marketplace may also be a boon for a separate class of hacking groups known as advanced persistent threat actors. In contrast to profit-motivated criminals who opportunistically attack any victim with weak defenses, APT actors target specific organizations or individuals, often because of the politics they espouse, the country they support, or the information they hold. A Russian hacking group penetrating the Democratic National Committee or a Chinese operation that compromises US defense contractors are two examples of APT actors.

While most APT actors are traditionally well-funded, the existence of marketplaces like xDedic lower the bar to entry for this class of hackers. As Kaspersky researchers explained:

The vast amount of servers for sale on the xDedic marketplace offers a very likely alternative for APT actors with low resources, willing to fly under the radar or having difficulties in getting a foothold in any of its victims. 8 USD is a very cheap price to pay for full access to potential high profile targets. Usually overlooked, servers that have been hacked using brute-force methods might present an opportunity for APT actors that doesn’t arouse suspicion.

Channel Ars Technica