{
	"id": "63f8fc54-d8fd-4903-ba95-f27a9ab61ecb",
	"created_at": "2026-04-06T00:09:17.197114Z",
	"updated_at": "2026-04-10T03:24:39.91801Z",
	"deleted_at": null,
	"sha1_hash": "2858375ddd779cb21675883d13aafd7a79a580d4",
	"title": "Service Sells Access to Fortune 500 Firms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 172817,
	"plain_text": "Service Sells Access to Fortune 500 Firms\r\nPublished: 2012-10-22 · Archived: 2026-04-05 21:13:45 UTC\r\nAn increasing number of services offered in the cybercrime underground allow miscreants to purchase access to\r\nhacked computers at specific organizations. For just a few dollars, these services offer the ability to buy your way\r\ninside of Fortune 500 company networks.\r\nThe service I examined for this post currently is renting access\r\nto nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this\r\nservice since its inception in early 2010. All of the machines for sale have been set up by their legitimate owners\r\nto accept incoming connections via the Internet, using the Remote Desktop Protocol (RDP), a service built into\r\nMicrosoft Windows machines that gives the user graphical access to the host PC’s desktop. Businesses often turn\r\non RDP for server and desktop systems that they wish to use remotely, but if they do so using a username and\r\npassword that is easily guessed, those systems will soon wind up for sale on services like this one.\r\nPitching its wares with the slogan, “The whole world in one service,” Dedicatexpress.com advertises hacked\r\nRDP servers on several cybercrime forums. Access is granted to new customers who contact the service’s owner\r\nvia instant message and pay a $20 registration fee via WebMoney, a virtual currency. The price of any hacked\r\nserver is calculated based on several qualities, including the speed of its processor and the number of processor\r\ncores, the machine’s download and upload speeds, and the length of time that the hacked RDP server has been\r\ncontinuously available online (its “uptime”).\r\nThough it is not marketed this way, the service allows users to search for hacked RDP servers by entering an\r\nInternet address range, an option that comes in handy if you are looking for computers inside of specific\r\norganizations. For instance, I relied on a list of the IP address ranges assigned to the companies in the current\r\nFortune 500 listing (special thanks to online banking security vendor Greenway Solutions for their help on this\r\nfront).\r\nI made it about halfway through the list of companies in the Fortune 100 with names beginning in “C” when I\r\nfound a hit: A hacked RDP server at Internet address space assigned to networking giant Cisco Systems Inc. The\r\nmachine was a Windows Server 2003 system in San Jose, Calif., being sold for $4.55 (see screenshot below).\r\nYou’ll never guess the credentials assigned to this box: Username: “Cisco,”; password: “Cisco”. Small wonder\r\nthat it was available for sale via this service. A contact at Cisco’s security team confirmed that the hacked RDP\r\nserver was inside of Cisco’s network; the source said that it was a “bad lab machine,” but declined to offer more\r\ndetails.\r\nhttps://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/\r\nPage 1 of 3\n\nA hacked Win 2003 Server installation at Cisco Systems was on sale for $4.55.\r\nDedicatexpress works directly with hackers who earn commissions for selling the RDP machines to the service\r\n(see screenshot below). The number beside each seller’s name indicates how many servers he has sold to\r\ndedicatexpress.com. The service says it will not buy RDP servers from Russia, probably because its proprietors\r\nare from that country and do not wish to antagonize Russian law enforcement officials (the site is in Russian but\r\nthe images pictured here are from Google-translated versions of the pages).\r\nTop vendors of hacked RDP servers.\r\nSellers can specify how the servers that they contribute may be used, and very often state that their RDP servers\r\nmay not be used for particular activities, such as online gambling, PayPal or dating scams. Buyers may also be\r\nlimited to running regular user accounts on the hacked systems, barring them from installing many types of\r\nsoftware (the Cisco server sold above granted the buyer administrative rights).\r\nBefore a server can be purchased, the service prompts buyers to use its built-in system for checking the reputation\r\nof the hacked RDP installation. I ran a check on the Cisco box and found that it had already been blacklisted by 10\r\nout of 15 popular services that track malicious activity online, such as spam and malware hosting. Not to worry,\r\nthough: The service’s operators assure buyers that “if you have any problems with the remote server you have just\r\npurchased, you will always be able to file a ticket with technical support and we will be happy to assist you.”\r\nhttps://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/\r\nPage 2 of 3\n\nSource: https://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/\r\nhttps://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/"
	],
	"report_names": [
		"service-sells-access-to-fortune-500-firms"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434157,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2858375ddd779cb21675883d13aafd7a79a580d4.pdf",
		"text": "https://archive.orkl.eu/2858375ddd779cb21675883d13aafd7a79a580d4.txt",
		"img": "https://archive.orkl.eu/2858375ddd779cb21675883d13aafd7a79a580d4.jpg"
	}
}