Police shut down xdedic marketplace for compromised servers decipher

“Several IT systems were confiscated and three Ukrainian suspects were questioned,” EuroJust, an European Union agency that deals with judicial cooperation in criminal matters among member countries, said in a statement. Investigators from the Federal Bureau of Investigation and the Criminal Investigation division of the Internal Revenue Service worked closely with Europol and law enforcement authorities in Belgium and Ukraine.

Kaspersky Lab described in great detail the services available on xDedic back in 2016. Criminal groups were selling access—usually in the form of compromised Remote Desktop Protocol credentials—to over 176,000 unique hacked servers from around the world.

Buyers could search for credentials to compromised servers by geographic location, operating system, and even, price. Buyers could buy a hacked server for as little as $6, Kaspersky said at the time. Later analysis by Flashpoint found that nearly two-thirds of servers and PCs peddled on the xDedic underground marketplace belonged to schools and universities based in United States.

Authorities estimate the marketplace facilitated more than $68 million in fraud, impacting victims in multiple industries, “including local, state, and federal government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities,” the United States Attorney’s Office for the Middle District of Florida said in a statement.

While xDedic was active from 2014, it shut down briefly in 2016 after the Kaspersky report. It re-emerged shortly after with a few changes, such as requiring members to pay $50 to buy or sell on the site. The new xDedic also relied on the Tor network to keep operators and the locations of its underlying servers hidden from security researchers and law enforcement investigators. Virtual cryptocurrency Bitcoin helped maintain anonymity for buyers and sellers.

For enterprises, the fact that xDedic sold credentials to compromised servers was a big headache. With these credentials, attackers can easily establish a foothold in the network. They can move laterally and compromise other servers. They may create new accounts—or steal other credentials—so that even if these compromised credentials get revoked, they can still maintain their access. When the original Kaspersky report came out, enterprises were warned to protect their RDP endpoints.

For the most part, RDP ports should not be accessible on a public IP addresses, so it is always a good idea to scan for, and close, public-facing RDP and SSH ports. Account management and password best practices help protect RDP endpoints too—such as mandating two-factor authentication for remote access, adopting strong password policies, restricting privileged access, and monitoring for unusual account behavior.

Even with the marketplace being shuttered, these are still important tasks to perform because there are other portals that provide similar services to the criminal groups. There are other sources for compromised credentials, and xDedic’s departure doesn’t mean criminals will stop trafficking in stolen credentials. Customers will move to other forums and the business (criminal) will continue.

It’s a plausible scenario, especially since law enforcement authorities are already investigating customers for a different marketplace that was shut down last year. The denial-of-service marketplace webstresser.org was shut down and site administrators arrested by European authorities last April. The police seized servers containing information on the site’s 151,000 registered users at the time.

On Webstresser, individuals who didn’t have technical skills or the infrastructure to launch distributed denial of service attacks could find someone to do the work for as low as €15 a month. Authorities estimate that Webstresser was used to launch over four million attacks against a range of websites, including those belonging to gaming companies, law enforcement, and financial services organizations.