There are over 85,000 RDP servers available for sale or rent via xDedic, a marketplace for selling or renting hacked servers that was exposed in June 2016.
Many believed xDedic would die off, as crooks would stay away from the service after being publicly ousted by Kaspersky last year. In reality, the service shut down for a few weeks, and then came back online on the Dark Web, continuing to sell hacked servers for an average price of $6.
At the time it was exposed, Kaspersky experts, who infiltrated the service, revealed in a 25-page report that the site was used to sell access to over 70,000 hacked servers, among which, the vast majority were compromised via open unsecured RDP connections.
Threat intel biz Flashpoint says that xDedic has thrived, despite Kaspersky's exposé. In fact, Flashpoint experts say the number of servers advertised on the service has risen to over 85,000, according to a previously-exposed xDedic dataset the company managed to get its hands on.
"The prolific threat actor “thedarkoverlord,” notorious for targeting healthcare entities, is believed to have leveraged this dataset for at least some of their breaches," said Vitali Kremez, Director of Research at Flashpoint.
An analysis of the leaked xDedic data revealed that almost three-quarters of all the hacked RDP servers were located in educational institutions, with most servers located in the US, Germany, and the Ukraine.
RDP servers secured with easy-to-guess passwords have been brute-forced and leveraged in all sorts of attacks ranging from data breaches to ransomware incidents.
But xDedic is not the only place where someone could get their hands on hacked RDP servers. A recently launched service, hosted on a Romanian domain also provides similar services.
This service, called Spammer, is not as sophisticated as xDedic, nor does it provide access to a large number of RDP servers, but we must take into account its short lifespan.
Also, the site appears to be a shop operated by a single hacker/group, unlike xDedic, which is an open marketplace for all users.
Besides RDP, the Spammer operators are also selling email spam lists, root access to hacked Linux servers, and hacked SMTP servers.