Since its inception in early 2014, the Russian darknet marketplace xDedic has accumulated a stockpile of over 85,000 hacked servers and PCs, selling access to the highest bidders. Sixty-five percent of these servers belong to U.S. educational institutions, while many others belong to various public sector verticals, including healthcare, aviation and government entities. The U.S. has emerged as a top target for xDedic, along with Germany and Ukraine.
Credential Theft and Education
Education is a key public sector target for xDedic, which uses credential theft as a brute force attack to gain access to school servers. With understaffed security departments and large remote systems that allow students to access educational resources both on and off campus, education has long been considered a soft target, presenting a potential goldmine for cybercrime. Other factors such as password vulnerabilities — user credentials can remain unchanged over an entire four-year degree program — make the theft of credentials easier. The more time an attacker has to figure out a password, the higher the probability that he’ll get it right.
Credential theft is easily automated and effective, which may be why it is the primary breach strategy. The 2017 Verizon Data Breach Investigations Report reports that 81 percent of all hacking-related breaches can be attributed to attackers leveraging weak, default, or stolen passwords. Even more startling ( considering how often security experts preach about better password habits), this statistic is up by 18 percent over 2016.
How xDedic Gains Access
xDedic operates by breaching the Remote Desktop Protocol (RDP) servers of educational institutions using a fileless approach. RDP was originally intended to let users connect to other machines over a network, enabling remote server and PC control for administrators. After scanning for ports with links to RDPs and identifying servers with open ports, brute force attack methods are used to test username and password combinations. These are effective against shorter, weaker passwords. When passwords become more complex, attackers use established botnets to supplement their efforts.
Now, username and password derivation is becoming automated, and the longer credentials remain unchanged, the easier it is for cybercriminals to find them and exploit your system. Once credentials are stolen, the same functionality is used to access and pivot to other systems, creating and augmenting user accounts in order to give xDedic customers access to your server — at the bargain price of only $7 to $15. Unfortunately, despite the fact that xDedic is known to the cyber intelligence community, it continues to profit – and it is not alone. The Romanian site “Spammer” offers similar services.
Stopping the Feast
What makes credential theft so effective is that it is a simple way to access your database. There aren’t sophisticated attack strategies required, rather, attackers use social engineering and attempt to guess your login information. The propensity for most people to recycle passwords, creating the same username and password that lasts over a four-year degree program, makes it easy to access the university’s database, as well as other accounts you might have. Here are some strategies IT teams can use foil attackers:
- Educate your users — The global threat landscape is constantly changing. As an administrator (or any RDP user), it is imperative that you remain aware of the dangers the connected world contains. Simple steps such as reminding users not to share their password information with others, or to add complexity to their passwords, are excellent ways to deter credential theft.
- Start smart – The default password on a device or system should never be the active password: As soon as systems in your network are online, create a complex one-time password for new users to eliminate the risk of rogue systems within your environment.
- Verify the sender — Phishing attacks remain the predominant method for attackers to steal credentials. As an administrator, it is imperative you adhere to security best practices and be aware of threats to users in your position. Whenever links or attachments are included in an email, be sure you trust its source, and verify its attachments.
- Stop the “pwn” — Own your server and keep your data yours by implementing the right solution for the job. CrowdStrike Falcon® unifies next-gen AV, EDR and managed hunting to stop thieves who want to own – or pwn – your servers. With a lightweight solution that deploys in minutes, you can easily take the right steps to stop the pwn.
Credential theft continues to be a key method for attackers to breach your systems and move laterally throughout your network without your knowledge. It is important that users and administrators be mindful of their password protection policies. RDP hacks occur as a result of poor password management, and if you don’t take the necessary precautions, you put your organization at risk. Take care of your passwords and help stop the breach.
For more information on how the CrowdStrike Falcon platform can protect your public sector organization, download the Public Sector Solution Brief or contact CrowdStrike at firstname.lastname@example.org