Hacked servers for just a few bucks

If you've got some spare change lying around, you can gain access to one of a few thousand Australian servers up for sale on an underground criminal hacking marketplace known as the xDedic forum.

Kaspersky worked closely with an as-yet unnamed European internet service provider to monitor the trade of server credentials on the forum, discovering that 2448 Australian servers had creds for sale, with terminal services access offered for between US$6 and US$8 for a few days’ worth of usage.

This is a fairly sophisticated online service: the owners of the xDedic forum have built a solution that automatically audits compromised servers prior to listing them on the marketplace, so that prospective buyers know what websites are available from the server, where it’s located, and even what software in installed on it.

If you have a server on the list, your business is compromised. Anyone renting access to your server can now do what they please, such as scanning for internal file shares, sending data from your system to the internet, or installing their own backdoor.

Hackers could also install tools to launch attacks on other businesses from your network. You’ll need to have all the network access logs and user accounting information to hand to prove that it wasn’t you that committed the offence.

Unsurprisingly, point-of-sale (PoS) systems are in high demand, with 453 servers located in 67 countries having some means of accepting electronic payments.

Nevertheless, this is a relatively small percentage of the total number of compromised servers, which Kaspersky said in May 2016 was as high as 70,624 servers from 416 unique sellers in 173 affected countries. This includes government and private sector servers from every industry vertical you can imagine.

Kaspersky thinks the xDedic forum was started by Russian cyber criminals back in 2014, however over the last five years hacking has been commoditised and marketed by international organised criminal gangs. These sorts of services seen on the xDedic forum are being used to funnel vast sums of money into criminal gangs' coffers.

Is there anything we can do? For starters, law enforcement needs to tackle this scourge on an international, cooperative level, since the vast majority of large-scale threats we face originate from overseas (China, the US, Turkey, Russian, Taiwan and Brazil).

And while the federal government has recognised the need to invest in fighting cybercrime through its national cyber security strategy, the funding announced to further these strategic initiatives falls woefully short of investment from other nations.

So what can you do to protect yourself while you wait for the government to tackle the big problems? The problem is there are only a few businesses and government agencies that are properly equipped to detect and respond to these kind of compromises. If you are not one of them, you'll need help.

There are enough service providers operating in this space now to have driven the costs of system monitoring down to a relatively affordable price (compared to where it was five years ago).  The other benefit of buying security-as-a-service is you get all of the threat intelligence that you would not have otherwise cobbled together. 

We are at an impasse. As the Kaspersky report notes: "US$8 is a very cheap price to pay for full access to potential high profile targets. Usually overlooked, servers that have been hacked using brute-force methods might present an opportunity for APT actors that doesn’t arouse suspicion.”

Cybercrime is no longer just the purview of a few select criminal groups. Hacking services are now shrink-wrapped, productised and commoditised offerings that cost next to nothing to buy, so it’s time to rethink your own information security investment strategy before it’s too late.