Dude, Where’s My Server?

Film director Danny Leiner released Dude, Where’s My Car? starring Ashton Kutcher and Seann William Scott in 2000. The movie opens with Jesse (Kutcher) and Chester (Scott) waking after a night of debauchery, and follows them as they retrace their steps from the previous night in search of Jesse’s missing car.

Major news outlets recently published articles about xDedic, an underground trading platform uncovered by Kaspersky Lab that facilitates the buying and selling of access to compromised servers previously belonging to governments, corporations, and universities for as little as $6 USD per server. Like Jesse and Chester, it wouldn’t surprise me if governments, corporations, and universities have similar feelings about their hijacked servers after reading the Kaspersky report and subsequent articles.

According to the report, xDedic was started in 2014 and appears to be run by a group of Russian-speaking hackers. xDedic partners use brute force attacks to obtain access to the servers they control. The forum garnered popularity in mid-2015 when over 3,000 servers were added to the marketplace. As of May 2016, the forum catalogued 70,624 servers from 416 unique sellers in 173 affected countries, which is up from 51,752 servers counted in March 2016. Not surprisingly, Brazil, China, Russia, and India are among the top 20 countries affected.

Cybercriminals can use servers purchased through xDedic in a variety of ways, and specific tests are conducted to prove that servers have not been blacklisted by online resources. Servers are tagged (this is usually the logo of the online service associated with the server such as Airbnb, Target, and Chase Bank) so buyers are guaranteed an active and viable purchase.

xDedic bundles tools to patch Remote Desktop Protocol (RDP) servers in to the purchase price, enabling support for multiple user logins and other hacking tools such as proxy installers and system information collectors. Buyers then have access to information about the system, including websites that are available from it and any software installed. For instance, a cybercriminal can purchase access to a server with credit card-processing point-of-sale software installed, and can then install malware to harvest credit card data available on the compromised server.

As stated at the end of the report, the xDedic marketplace is a low cost alternative for bad actors with limited resources and a penchant for launching attacks against high profile targets, including major banks, email providers, and retail outlets.

If you’re an organization whose critical servers host sensitive data, it’s natural to wonder if your name may be on this underground trading list. Rather than worry, just make sure you have the ability to detect any unusual server activity and take automated actions to stop it. SentinelOne’s Critical Server Protection Platform works on both Windows and Linux servers and provides behavior-based detection and mitigation of malicious activity – all at low system overhead. Check out the latest datasheet, and contact us to see a live demo of the solution.