First discovered at the end of last month by security researcher Brian Krebs, the service, dubbed Dedicatexpress, can be used to carry out a variety of ills: email scams, phishing schemes, ransomware campaigns and, of course, more advanced information-gathering initiatives aimed at stealing corporate secrets. Krebs said that almost 300,000 compromised systems have passed through this service since its inception in early 2010.
“Pitching its wares with the slogan, ‘The whole world in one service,’ Dedicatexpress.com advertises hacked RDP servers on several cybercrime forums,” Krebs wrote in his blog. In other words, all of the corporate logins are tied to servers inside company networks that have been legitimately enabled with the Windows Remote Desktop Protocol (RDP) functionality for outside access, but which have been given weak password/user name combos.
Further, it enables targeting. “Though it is not marketed this way, the service allows users to search for hacked RDP servers by entering an Internet address range, an option that comes in handy if you are looking for computers inside of specific organizations,” he said.
Using a list of the IP address ranges assigned to Fortune 500 companies, Krebs did not have to go far in searching the available hacks to find a compromised machine, available for just a few bucks.
“The [Cisco] machine was a Windows Server 2003 system in San Jose, Calif., being sold for $4.55,” Krebs noted. “You’ll never guess the credentials assigned to this box: Username: Cisco, password: Cisco.”
Access to Dedicatexpress is granted to new “customers” who contact the service’s owner via instant message and pay a $20 registration fee via WebMoney, a virtual currency. Pricing for access to a corporate server varies according to relative hacking horsepower, as it were, of what’s being sold: processor speed, number of processor cores, download and upload speeds, and the length of time that the hacked RDP server has been continuously available online.
The service, despite Kreb’s alert, is still going strong, according to a BBC report. The moral? Despite the huge potential security risk of these login details and accounts, privileged access points are all too often inadequately secured with weak or default passwords, leaving networks vulnerable to attack. So, HaaS offerings are unlikely to fade back into the dark cloud from whence they came.
“The existence of illegal cybercrime services such as ‘Dedicatexpress’ should come as little surprise,” said Matt Middleton-Leal, regional director, UK & Ireland at Cyber-Ark, in an email to Infosecurity. “Cybercriminals have long targeted login details and privileged passwords as an ideal way into a corporate network and to access critical information or cause havoc once inside. Privileged access points include administrative accounts, services and application accounts and enable ‘privileged’ users to log on to a network anonymously, with blanket access to an organization’s critical systems and Intellectual Property, as well as other sensitive data.”