The FBI and law enforcement agencies from several European countries have shut down an underground marketplace that specialized in selling access to hacked computers and servers. Called xDedic, the site had been around for years, first on the open internet and then also on the Tor network. According to a 2016 report from Kaspersky Lab, the online shop was run by a group of Russian-speaking hackers.
The takedown happened Thursday but was only announced January 28 by Europol and Eurojust, who coordinated the investigation among authorities in Belgium, the U.S. and Ukraine. Law enforcement in Germany helped confiscate the site's IT infrastructure, and the domain names were seized through an order issued by a U.S. judge.
Police also searched nine locations in Ukraine and questioned three suspects in the country in connection to running the site or selling access to hacked servers through it. RDP (Remote Desktop Protocol) access to servers was sold for between $6 and $10,000, and customers could filter the servers by geographic location, operating system and other criteria.
Tens of thousands of servers were listed on the marketplace over the years and they included servers from businesses from various sectors, educational organizations, government institutions, hospitals, emergency services and major metropolitan transit authorities. The investigators estimate that the site facilitated over $68 million in fraud.
In addition to remote access to servers, xDedic vendors also provided buyers with RDP patches to enable concurrent logins on hacked machines as well as proxies to install on servers and other tools to collect information from them. In 2016, the number of hacked servers listed was 75,000, but it later increased.
Authorities in Belgium launched an investigation into xDedic in 2016 after the site was used to sell access to machines from many organizations in the country. This resulted in an agreement of cooperation between Belgium, Ukraine, Eurojust and Europol in 2018. Meanwhile, authorities in the U.S. were running their own investigation into the site and its administrators, and last year they joined forces with European investigators in a series of meetings.
"Through their coordinated efforts, Belgian, Ukrainian and American judicial, prosecutorial and police authorities struck a devastating blow against the online marketplace for the illegal trade of hacked computer systems," Eurojust said in its takedown announcement. "An important signal was also sent to the perpetrators of other online criminal activities, including on the dark web, that they are not immune from criminal investigation and prosecution."
RDP attacks are effective, but preventable
The hackers gained access to servers mainly through RDP brute-force attacks with lists of hacked or common credentials. RDP attacks are increasing in popularity among hackers, yet they are preventable with proper protections in place. For example, businesses should have good password policies in place for remote access and to enforce limits for login attempts.
In September, the FBI's Internet Crime Complain Center (IC3) issued a public alert about "the rise of dark markets selling RDP Access," and listed the most common causes for compromise as weak passwords, outdated versions of RDP with flawed CredSSP encryption, unrestricted access to default RDP port (TCP 3389) and allowing unlimited login attempts to user accounts. The alert also included useful recommendations for addressing such weaknesses.
Attackers have abused RDP access in the past to deploy ransomware, such as SamSam, CrySiS and CryptON and to steal sensitive information. Some of these malware threats have caused major disruptions in hospitals and other public institutions.