Law enforcement authorities in the United States and Europe have shut down xDedic, the marketplace known for selling access to hacked servers and personally identifiable information.
“Several IT systems were confiscated and three Ukrainian suspects were questioned,” EuroJust, an European Union agency that deals with judicial cooperation in criminal matters among member countries, said in a statement. Investigators from the Federal Bureau of Investigation and the Criminal Investigation division of the Internal Revenue Service worked closely with Europol and law enforcement authorities in Belgium and Ukraine.
Kaspersky Lab described in great detail the services available on xDedic back in 2016. Criminal groups were selling access—usually in the form of compromised Remote Desktop Protocol credentials—to over 176,000 unique hacked servers from around the world. Buyers could search for credentials to compromised servers by geographic location, operating system, and even, price. Buyers could buy a hacked server for as little as $6, Kaspersky said at the time. Later analysis by Flashpoint found that nearly two-thirds of servers and PCs peddled on the xDedic underground marketplace belonged to schools and universities based in United States.
Authorities estimate the marketplace facilitated more than $68 million in fraud, impacting victims in multiple industries, “including local, state, and federal government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities,” the United States Attorney’s Office for the Middle District of Florida said in a statement.
Domain names associated with xDedic were seized on Jan. 24, “effectively ceasing the website’s operation.” Users still trying to access xDedic would be redirected to a page explaining the marketplace has been taken offline.
While xDedic was active from 2014, it shut down briefly in 2016 after the Kaspersky report. It re-emerged shortly after with a few changes, such as requiring members to pay $50 to buy or sell on the site. The new xDedic also relied on the Tor network to keep operators and the locations of its underlying servers hidden from security researchers and law enforcement investigators. Virtual cryptocurrency Bitcoin helped maintain anonymity for buyers and sellers.
Protecting RDP Endpoints
For enterprises, the fact that xDedic sold credentials to compromised servers was a big headache. With these credentials, attackers can easily establish a foothold in the network. They can move laterally and compromise other servers. They may create new accounts—or steal other credentials—so that even if these compromised credentials get revoked, they can still maintain their access. When the original Kaspersky report came out, enterprises were warned to protect their RDP endpoints.
For the most part, RDP ports should not be accessible on a public IP addresses, so it is always a good idea to scan for, and close, public-facing RDP and SSH ports. Account management and password best practices help protect RDP endpoints too—such as mandating two-factor authentication for remote access, adopting strong password policies, restricting privileged access, and monitoring for unusual account behavior.
Even with the marketplace being shuttered, these are still important tasks to perform because there are other portals that provide similar services to the criminal groups. There are other sources for compromised credentials, and xDedic's departure doesn't mean criminals will stop trafficking in stolen credentials. Customers will move to other forums and the business (criminal) will continue.
Authorities did not say where the administrators have been arrested—the three suspects have just been questioned—so there is also a possibility the group can re-emerge with a different domain name and fresh infrastructure at a later time.
Enterprise security teams need to revoke compromised credentials and protect the machines.
Next Step: Customers?
Since several pieces of xDedic's infrastructure has been seized, it makes sense that authorities have access to the list of registered users. That means law enforcement can shift their focus to go after these customers, since buying and selling on these forums would be considered criminal activities.
It's a plausible scenario, especially since law enforcement authorities are already investigating customers for a different marketplace that was shut down last year. The denial-of-service marketplace webstresser.org was shut down and site administrators arrested by European authorities last April. The police seized servers containing information on the site's 151,000 registered users at the time.
On Webstresser, individuals who didn’t have technical skills or the infrastructure to launch distributed denial of service attacks could find someone to do the work for as low as €15 a month. Authorities estimate that Webstresser was used to launch over four million attacks against a range of websites, including those belonging to gaming companies, law enforcement, and financial services organizations.
“Coordinated by Europol and the Joint Cybercrime Action Taskforce (J-CAT) with the support of the Dutch Politie and the British National Crime Agency, actions are currently underway worldwide to track down the users of these Distributed Denial of Service (DDoS) attacks,” Europol said in its statement.
Several Webstresser customers in the United Kingdom have already been visited by police and over 60 electronic devices have been seized. "Live operations" against more than 250 users are currently in progress.
European and US authorities have taken down several other DDoS marketplaces over the past year, such as Downthem and Quantum Stresser, and they have information on those sites' users, as well.
"Size does not matter–all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain," Europol said.