Larger than meets the eye: xDedic follow-up

It now appears the number of servers bought and sold via xDedic might have been underestimated; it’s likely many more IPs have been compromised by xDedic players.

We have an update on Kaspersky Lab’s story from last week about xDedic, a virtual black market for hacked server credentials worldwide. It now appears the number of servers bought and sold via xDedic might have been underestimated; it’s likely many more IPs have been compromised by xDedic players.

As we reported earlier, the credentials of more than 70,000 hacked servers around the world were put on the market via xDedic. But now Securelist has acquired a much wider data set that includes about 176,000 compromised servers that might have been available at xDedic for some time. You can find the list of servers, with IPs and sorted by country code (based on the GeoIP), in a CSV file here.

The data set covering the previously unknown servers was posted in the comments section of Securelist by an anonymous individual with a Lithuanian IP address. The person’s message contained a number of links to Pastebin, containing long lists of IP addresses and date information. Altogether they contain 176,000 unique records from October 2014 to February 2016.

Validating the data proved a bit challenging, but it is already clear that the Pastebin data set matches the timeline of the xDedic operation; it contains the IPs of many RDP servers, including those known to be compromised. The set also contains 100% of the subnetworks seen on the xDedic marketplace within the same time frame. A full analysis of the authenticity of the dump can be found in this Securelist blog post.

In short, nobody can confirm the authenticity of all of the data listed therein, so it should be taken with a grain of salt. However, Kaspersky Lab’s experts think that there are reasons to believe that at least some portion of it is indeed authentic. Therefore, we highly recommend you check it out, regardless of whether your servers are in the list.

Another discovery resulting from this dump involves the market value of compromised servers. In our first post, we mentioned that in some cases the credentials sold for as little as $6-8 dollars. However, according to this newly acquired data, credentials for some servers may cost as much as $6,000 — and most likely, those were the first to go.

After the public announcement, the xDedic website was taken offline pronto — thanks to the cooperation of several major ISPs. However, that doesn’t mean the story is over. Many questions remain. It’s still unclear where the data actually came from. Also unclear: how many of those IPs are still compromised.

For a full description of the xDedic platform as well as indicators of compromise, see this report.

Also, check out our earlier post to find out how to protect your servers so that their IPs don’t end up in xDedic or some other similar black marketplace.

Tips