xDedic, a dark marketplace for selling credentials for remote access and hacked servers was taken down by US and European law enforcement. Law enforcement took possession of “several IT systems and three Ukrainian suspects were questioned,” according to EuroJust, a European Union intra jurisdictional agency that coordinates criminal matters between EU countries. The action was augmented by the FBI, the IRS, Europol, and regional law enforcement authorities in Belgium and Ukraine. The domains of xDedic were seized on Jan. 24.

xDedic: A Key Source of Hacked Credentials That Lead to Ransomware Attacks

Hacked Remote Desktop Protocol credentials purchased from sites like xDedic, have long been a suspected origin of ransomware attacks. In Q4, bruteforce RDP access accounted for almost 85% of ransomware attacks.  Ransomware distribution crews purchase access to server’s that have been previously breached as a compliment to their own brute forcing attempts. xDedic offers credentials for as little as $5-10 each.

According to a statement by the United States Attorney’s Office for the Middle District of Florida, “the marketplace facilitated more than $68 million in fraud, impacting victims in multiple industries, including local, state, and federal government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.”  Even though individual transactions facilitated on the site were small, the credentials were used to launch major breaches and ransomware attacks.

Up and Down History of xDedic as a Criminal Marketplace

xDedic started in 2014, but was closed for a period of time in 2016 after Kaspersky wrote a detailed report about its operations. It re-surfaced shortly thereafter with a new paywall, requiring members to pay $50 to join.  The site was also moved to the Tor network for enhanced anonymity. Even though this prolific marketplace has been closed, there are other marketplaces that provide similar services, such a MagBo. Purchasing stolen credentials will likely move to other avenues and the RDP attack vector will continue to be exploited.

Securing RDP Remains Critical to Defend Against Ransomware

Even though a major sources of stolen RDP credentials is down, its effect on reducing ransomware may be minimal. It remains critical that business take a layered approach to securing remote access.  We recommend the following:

• Limit RDP Access: Limit access by requiring a VPN to access RDP. The default port number should be changed as well. Access should be granted to a select whitelist of IP ranges and lockout provisions enacted so that brute forcing attempts trigger lock out or admin alerts.

• Two-factor authentication (2FA): The vast majority of corporate ransomware attacks could be thwarted by enabling two-factor authentication on remote sessions and all remotely-accessible accounts.

• Endpoint & alternative solutions: Today’s endpoint solutions can detect anomalies in network usage (such as an in-office workstation attempting opening a RDP session) and stop them before damage is done. Additionally, several new products offer alternatives for remote access that are more secure than RDP.

• Least Privilege: Users that do not need to service important internal services should not have access to them. Double check your permissions and make sure employees have the minimum access required to complete their job. Accounts that can access critical systems, including backups, should have 2FA on them.

• Disaster Recovery: Should RDP configurations become compromised, it’s critical that a company’s BCDR plans be codified and up to date. Backup systems should have up-to-date, on-site and off-site versions of all critical data. IR firms should be kept on retainer to minimize costs and time to recover in the event of a breach.

Contact us to learn more!