Cyber Criminals Sell Compromised Servers to Carry Out DDoS Attacks

Just when you think it can’t get any worse for IT security professionals, cyber criminals come up with even more sinister means of misconduct. This week Kaspersky Lab reported that xDedic, a major underground marketplace, is selling access to more than 70,000 compromised servers, allowing buyers to carry out widespread cyberattacks around the world. According to The Star Online,

“Each [kit] comes pre-equipped with a variety of software to mount denial-of-service attacks on other networks, launch spam campaigns, illicitly manufacture bitcoin currency or compromise online or retail payment systems, the researchers said.”

Those 70,000 servers are what we in the industry commonly refer to as being “owned.” They are infected with malware that can “sleep” until a hacker turns it on to steal sensitive data or to demand a ransom. The legitimate owners of those servers don’t realize their servers have been hacked, or that their servers could be leveraged for further criminal gain.

To add salt to the wound, the price is dirt cheap: for a mere $6 per server, the cyber thugs will sell access. Between selling distributed denial of service (DDoS) as a service and now selling access to compromised servers, the denizens of the dark underworld have quite a business model, don’t they? Given that companies around the world spend thousands—in many cases, millions—of dollars to protect their networks, it’s frustrating that it’s so inexpensive for hackers to wreak havoc with those networks.

In terms of DDoS attacks, this means two things:

  1. It’s very likely that the servers were infected and compromised during a Dark DDoS attack, i.e., a low-threshold, partial link saturation attack that distracts IT security staff by inundating online systems with junk traffic, enabling hackers to penetrate other network services that are still up and running and vulnerable. Using a DDoS attack, a hacker can create a pathway through an enterprise's network in only a few minutes. Once they've done that, they can embed an advanced persistent threat (APT: essentially the enterprise version of a botnet) that sits there quietly on the server until the bad guys want to use it. Thus, the DDoS attack serves as a smokescreen for security breaches that access sensitive data. Because it’s easy and inexpensive to launch a DDoS attack, this method is increasingly popular with hackers.
  2. It can be an endless cycle. Those same servers that were hacked could potentially be used as botnets in a zombie army for a DDoS attack. Hackers can then threaten a different organization with a DDoS attack, often demanding a demanding a ransom to stop or prevent an attack.

Of course, DDoS attacks are not the only form of cyber threat. But they are increasingly common, and highly effective when their targets don’t have a DDoS protection solution in place. Organizations can, and should, prevent their networks from getting infected in the first place by having DDoS protection.