Compromised RDP Server Tally From xDedic May Be HigherInitial Estimate of Compromised RDP Servers on Marketplace Was Low: Kaspersky
On June 15, Kaspersky Lab unveiled research on xDedic - an online cybercrime marketplace that was trading credentials of around 70,000 Remote Desktop Protocol servers from around the world. Subsequently, Kaspersky has revealed that its original estimate on the number of compromised credentials may have been far too low, based on new data coming to light.
xDedic was an eBay-like marketplace on the internet where anyone could buy and sell credentials to compromised RDP servers worldwide - from government networks to corporations. RDP is a proprietary protocol developed by Microsoft that provides a GUI for users to connect and access systems remotely over a network connection.
According to the original disclosure in a June 15 blog post by Kaspersky, as of May, the number of RDP server credentials up for sale on the xDedic marketplace totaled more than 70,000 from 173 countries, with China and India in the top five countries by servers for sale at 5,023 and 3,488 respectively - the US topped the list. But in a later blog post on June 20, Kaspersky says the number of affected IPs may be much higher - well over 250,000 servers.
xDedic: Like eBay for Cybercrime
The xDedic developers focused on maintaining the platform and validating the server data posted for sale - in terms of if the credentials were valid, the server was online, and whether the IP was blacklisted - as a value-added service to users of the platform, according to Vitaly Kamluk, principal security researcher for APAC at Kaspersky Lab. The developers themselves were not involved in selling anything.
Unlike most cybercrime-as-a-service marketplaces, which operate underground on TOR and other networks, xDedic was available over the open web. Kamluk says that the owners are Russian speakers. The location of the servers could not be determined by researchers as the server hosting the marketplace was shielded from automated requests and protected from crawlers to prevent automatic data download (see: Why Russian Cybercrime Markets Are Thriving).
"Multiple layers of reverse proxies were used, so we don't know where the servers were hosted," Kamluk says. "Initial analysis reveals a Cloudflare address behind which a German IP was found, but we do not believe that this was the final IP and the server could have been anywhere."
xDedic was taken down June 15 in a coordinated effort by ISPs. Kaspersky learned of xDedic after a major U.S. ISP contacted the firm about a customer's server being repeatedly compromised, Kamluk says. Upon forensic analysis, links to the xDedic marketplace were first discovered (see: Fighting 'Cybercrime as a Service').
Most of the credentials available on xDedic were obtained by brute forcing servers running open RDP services, Kamluk says. In some cases, other vulnerabilities may have been exploited to get root rights on the server and enable RDP, then put it up for sale, he says.
While the most expensive server credentials up for sale were from the U.S., with the most expensive being $6,000, Indian servers were selling for $3 to $12. A vast number of the cybercriminals on xDedic were probably from Eastern Europe, and this may show low interest in India from a cybercriminal angle from this region, Kamluk adds.
Scope Bigger Than First Thought
Kaspersky Lab is now considering revising its estimate of the number of compromised RDP server credentials after receiving a comment on the original post from a Lithuanian IP sharing links to Pastebin dumps, with more than 176,000 unique IPs purportedly from xDedic from November 2014 - around when xDedic started operations - to February 2016.
Kaspersky's own research on xDedic starts in late March 2016. As a result, the total amount of server credentials compromised could hit nearly 250,000 if the data from the Pastebin dump is valid.
While Kaspersky Lab cannot say with 100 percent certainty this data is valid, but it says that there is an overlap between the Pastebin data and the IP data gathered by them from xDedic. To validate this new data, the researchers was able to determine that of the 176,000 IPs from the Pastebin list, close to 71000, or over 59 percent, were RDP servers with open RDP ports.
Moreover comparing the lists of subnets shows that all but three of 8,721 confirmed compromised subnets that Kaspersky has from xDedic dating to before March 2016 matches up to the subnets found in the Pastebin data. Kaspersky Lab therefore concludes that the new list may be genuine.
Kaspersky Lab says in its blog that the reason why the number of credentials on the xDedic marketplace looked smaller at first is because the most desirable server credentials were often sold almost as soon as they were added to marketplace, leaving only unwanted credentials for sale. "The overall number could be close to 250,000 servers, but this is a rough estimate," Kamluk says.
Kaspersky says in its blog that the source of the newly identified compromised IP data is either high-frequency monitoring of the xDedic marketplace, with access to full IP information, or someone who had advanced access to the backend - either a hosting provider or one of the developers.
Kaspersky is disseminating the IP information in its possession to CERTs in APAC and globally. While Kaspersky is not facilitating organizations checking individually if they were among those whose credentials were compromised, they are letting relevant CERTs know the specific organizations that may have been affected. Organizations should contact a CERT to determine if their credentials were affected, Kamluk says.
Here's How to Begin Remediation
While many organizations may believe that simply changing credentials will help mitigate any risk, security experts recommend taking further steps, including:
- Check all publicly listed IPs for open RDP or SSH ports.
- Ensure complex passwords are used and discourage reusing passwords across services.
- Enforce a strict RDP access policy. Blocking all external RDP or other terminal sharing requests is essential.
If an organization had even one server credential listed on xDedic, the compromise could be much deeper, says K.K. Mookhey, founder and principal consultant at NII Consulting in India. "At the very least, nearly every server in the DMZ is likely to have been compromised via this single compromised server," he says. "Deeper penetration is also likely where the DMZ barrier can be crossed through the traffic allowed between the DMZ and the internal server segment."
To detect related compromises, organizations will have to move into forensics mode and analyze the Windows event logs to determine when and how often the assets were accessed, says Sahir Hidyatullah, CEO and co-founder at security firm Smokescreen Technologies, "In many cases, they're unable to do this due to a lack of central logging and the attackers clearing the logs on the compromised host." As a result, he adds, organizations should ensure they're not only keeping central logs but storing them in a manner that precludes attackers erasing them.
"Organizations that have been compromised need to investigate," says Shomiron Das Gupta, founder of Mumbai-based security services firm Netmonastery. "Potential technical damages are backdoors and code drops." These have capability of exfiltrating data from pwned systems, he notes. Evaluating countermeasures will prove challenging for many organizations, he adds.
With the cyber-crime underground's continuous adoption of marketplace models, anyone stealing access credentials without a direct interest in exploiting them, can trade these to a more sophisticated threat actor, with the capability to extend the compromise and cause serious business impact, warns Hidayatullah (see: 'Industrialization' of Cybercrime: Sizing Up the Impact).