Attackers can buy remote access to thousands of hacked servers in Australia for just a few dollars on an underground online marketplace, security researchers have found.
Security vendor Kaspersky worked with an unnamed European internet provider to chart activities at the xDedic forum, where credentials to hacked servers are offered to buyers for US$6 to US$8 for a few days worth of use.
Kaspersky counted [pdf] over 70,000 hacked Windows servers. Australia is in the top 20 list of countries, with access to 2448 servers up for sale in May this year. Brazil had the most (6540) followed by China (5023) and Russia (4020). In total, 416 sellers offered servers in 173 countries.
Of the hacked servers, 453 from 67 countries had point of sale software installed, with 15 in Australia. Kaspersky did not identify where the hacked servers are located but published indicators of compromise including Windows Registry entries and control software installation file names and hashes.
Compromised servers are available on government and corporate networks, Kaspersky said, making them a likely option for advanced persistent threat actors with low resources, given they fly under the radar and are often not detected.
Access to the servers, many of which are cracked with brute-force credentials guessing tools, is provided via Microsoft's Remote Desktop Protocol (RDP).
Attackers who buy access to the servers can view and manipulate all data and use the machines as launchpads for further abuse, including site impersonation and malware hosting.
The server certificate used by xDedic appears to be similar to the self-signed credential that came with the Dyre banking malware, issued to the fictional Internet Widgits Pty Ltd organisation supposedly in Australia.
Kaspersky believes xDedic was started by Russian cyber criminals in 2014, and expects the forum to be easily replicated elsewhere.