It was last week when security firm Kaspersky reported on an underground marketplace called xDedic, a platform for buying and selling access to compromised RDP servers. Some 70,000 hacked servers were up for sale, spanning across 173 countries. The xDedic website went offline soon after the story broke.
However, the reveal revealed another surprise.
The day following the announcement there was a twist to add to the tale of the marketplace – which has since been taken down. One comment on the page of the announcement that congratulated the security firm on its public notice of xDedic posted a whole cache of Pastebin links, claiming to lead to more hacked servers.
One of these ‘pastes’ contained about 19,000 records, with the author of the comment noting that the they were related to hacked servers in the xDedic marketplace. Altogether, the pastes accumulate to near 176,000 unique records, combed between October 2014 and February 2016.
Kaspersky researchers saw enough reason to probe further and sought to validate the submitted data. They began comparing the datasets between Pastebin and the xDedic marketplace. A correlating overlap of the server datasets came to form in June 2015.
The researchers pressed on to determine the number of unique IP addresses between the ‘sinkhole’ or the data taken from the marketplace. The check returned 1,303 unique IP addresses found in the Pastebin and sinkhole data.
DRP servers were the next dataset to be looked into. As Kaspersky revealed:
[W]e simply scanned known IPs for the most popular RDP ports. The results were quite impressive: 71,784 IPs had the RDP service running on port range 3300-3400 (most of them were on standard port 3389).
Finally, researchers compared the list of subnets between the two data sets with “astonishing” results, as researchers described it.
The subnets from the marketplace before March 2016 totaled 8,721 while the subnets that matched the Pastebin dataset turned out to 8,718. One three IPS on the marketplace did not figure in the Pastebin dump, proving conclusively that the lists submitted were indeed legitimate.
With the updated list of IPs revealed by Pastebin, the United States and the United Kingdom now top the list of the countries with the most compromised servers.
The researchers concluded:
What we can tell for sure is that the Pastebin dataset:
- Matches the timeline of the xDedic operation.
- Contains the IPs of many RDP servers.
- Contains many IPs of known compromised RDP servers.
- Shows a correlation with the dynamics of the xDedic marketplace offering.
- Contains 100% of the subnetworks we saw on the xDedic marketplace within the same timeframe.
Questions still remain, as to where the data came from to begin with and the lack of data between March and June 2016, which would aid in further validation.
Finally, Kaspersky researchers thanked the poster of the Pastebin data, before asking for private correspondence about such information in the future.
Had we received this information via a private channel (email, private URL, etc.), we would have been happy to relay it to CERTs and local authorities of affected countries via our established channels and partners. So we would ask that in future those who respond to our research refrain from dumping such data into the public domain.
