After Kaspersky Labs ousted xDedic last summer for employing hacked servers for purchase or hire, many believed it was curtains for the marketplace.
The exposé was meant to steer traffic away from the xDedic marketplace for dealing with illegitimately obtained servers.
However, after just a few weeks offline, the marketplace was back doing what it apparently knows best: selling even more hacked servers for an average price of $6.
Kaspersky’s 25-page report revealed the initial number of hacked servers for sale or hire on xDedic marketplace to be around 70,000.
After rising from its ashes, it was confirmed that the marketplace now has over 85,000 servers listed for sale or hire.
The majority of the compromised servers suffer the same fatal flaw—they have open unsecured RDP (Remote Desktop Protocol) connections.
xDedic marketplace is believed to be run by a group of Russian-speaking hackers. It is a hackers’ haven, where user forums share information and hacking tools, such as sysinfo collectors and proxy installers.
Much of the support offered in the forums aims to enable buyers to patch RDP servers in order to facilitate multiple user logins.
How Cybercriminals Use RDP Servers
The servers listed for sale or hire on the xDedic marketplace seem to bear no other connection, save for the fact that they are all RDP servers.
Hackers can easily obtain access or “ownership” of servers from corporate or governmental institutions who have access to sensitive data and administrative privileges.
From this critical vantage point, hacking and ransomware attacks are often devastating and can cause irreparable damage to the institutions involved.
The RDP servers on xDedic feature marketplace tags, which are specifically put in place to show that they have not been blacklisted from any online resource.
These lists of public websites specifically focus on Point of Sale software, accounting and tax reporting.
Installed in the compromised RDP servers are features and software that enable mass email-sending, so these fraudulent hackers can carry out phishing attacks without drawing any suspicion.
In some cases, hackers can install additional software that allows them to fraudulently obtain money.
Kaspersky’s report on the xDedic marketplace should have put it out of business for good. However, it appears business is the best it’s ever been on xDedic, according to a team of cybersecurity experts at Flashpoint.
The group conducted a full analysis of xDedic data and found new numbers of listed servers on the marketplace, showing its exponential growth despite the mass exodus of most of its traffic to more secure locations on the dark web.
Flashpoint Director of Research Vitali Kremez believes that a well-known threat actor (who has repeatedly targeted healthcare institutions) leveraged that dataset for ransom in a few of their breaches.
More than a few servers were secured with simple passwords, and they were forcefully hacked and used as leverage in ransomware incidents.
However, the analysis of the xDedic marketplace data showed that almost 75 percent of the compromised RDP servers were in educational institutions, the majority of which were located in Germany, Ukraine and the United States.
xDedic Marketplace Has Competition
xDedic marketplace is no longer the only service that avails servers for purchase or hire. Spammer, a service hosted on a Romanian domain, has popped up offering similar deals on a variety of hacked servers from different locations.
Unlike the much more dedicated xDedic marketplace, experts deduce Spammer is single-hacker operation, due to factors like a significantly smaller inventory.
xDedic is also more of an open marketplace than Spammer is. Experts are now waiting to see whether Spammer shares the same limited lifespan with the xDedic market, despite its relative newness to the scene.