Introduction

BidenCash, a carding marketplace infamous for selling leaked credit card information, has gained significant traction since its launch in April 2022. The marketplace has recently ventured into a new area by offering SSH services to buyers for as low as USD 2. The impact of these offerings can be severe as threat actors can launch cyber attacks with the powerful processing capabilities of the servers.

‍

In October 2022, the first dataset of 1.2 million credit cards was leaked. The datasets involved sensitive information such as Personally Identifiable Information (PII) and Social Security Numbers (SSNs) along with card details, and CVV codes. As a result, the marketplace quickly grew in popularity and experienced a significant increase in monthly visitors where February 2023 saw the highest number of visitors due to its latest release of 2 million unique credit card data in February 2023.

‍

‍

BidenCash's New Venture: Selling SSH Access

In the latter part of last week, CloudSEK noticed a slight deviation from the primary business model of BidenCash, which involves selling leaked credit card information. The marketplace appears to have ventured into a new area of selling SSH access to interested buyers.

‍

‍

As per the advertisement on a Russian-speaking underground forum, the key features provided by BidenCash ensure a smooth and efficient experience for those interested in purchasing SSH access through BidenCash. The offerings include:

Shell presence check: To ensure the presence of a shell on the target server
CPU and RAM information: To provide information about the server's processing power
Server flag information: To check for the presence of known vulnerabilities or exploits
Socks5 port availability check: To check if the server supports the Socks5 protocol
Geolocation check: To confirm the server's location
Checking IP addresses against blacklists Spamhaus, Sorbs.net, Spamcop, SouthKoreanNBL,

Barracuda BBL: To ensure the server's IP address is not blacklisted

Available filtering options include filters based on geography, architecture, presence of a shell, availability of socks5, username, etc.
Validity check before issuing SSH access: To guarantee the absence of dead accesses.

‍

*Different offerings based on the type of SSH servers*

‍

The advertisement also encourages other threat actors to join forces in order to expand this venture. BidenCash receives 30% in commission for each sale offered on the website.

*Commission received by BidenCash for each sale*

‍

Also Read Custom malware Kaiji targets IoT devices via SSH brute forcing

‍

Based on this new offering, various existing sellers on different dark web forums can also begin their venture into gathering SSH accesses to monetize maximum from the marketplace. By listing their accesses on Bidencash, the threat actors can escape the negotiations cycle and traps set by security researchers on the forums.

*Threat actors advertising SSH access on the same cybercrime forum where Bidencash listed their new offering*

‍

Analysis of BidenCash's SSH Inventory and Potential Earnings

After analyzing BidenCash's SSH inventory over the past five days, we've discovered that they've listed over 850 SSH servers with varying architecture, CPU configurations, and countries, among other things. The prices for these servers range from $2 (lowest) to $10 (highest).

*SSH Servers from the most affected countries*

‍

Based on our rough calculations, if all 850 listed cards are sold, sellers on the marketplace stand to make an average of $3,570 every five days (or $21,420 every month), while BidenCash itself would receive $1,530 (or $9,180 every month) in commission. However, given the popularity of BidenCash, we anticipate at least a 3-fold increase in the number of listings on the marketplace that can attract more potential buyers over time.

‍

Vouch for the Service

With the launch of the new SSH offering, threat actors have already started vouching for it on various dark web forums. Given the popularity and reputation of BidenCash in the underground market, it is highly likely that many cybercriminals may have already started purchasing these illegitimate offerings to conduct nefarious activities.

‍

*Threat actors vouching for the new SSH service*

‍

Long-term Impact

The SSH servers being offered on the BidenCash marketplace are not only cheap but also come with varying CPU configurations and processing powers. Some of the servers with admin-level or root-level access are available for as low as $10, equipped with powerful hardware specifications. We have observed some of the most powerful servers on the marketplace with 196GB RAM and 104 CPU cores.

‍

This poses a significant risk as threat actors can leverage this power to conduct a wide range of malicious activities, such as data exfiltration, brute force and ransomware attacks, and cryptocurrency mining. Moreover, they can launch large-scale DDoS attacks to disrupt services at private and government organizations, causing significant damage to their operations and reputation.

‍

Conclusion

With the ability to purchase powerful servers while maintaining anonymity, cyber attacks can be very difficult to thwart. The availability of SSH servers on marketplaces such as BidenCash can increase the scope and scale of attacks, making it imperative for organizations to ensure the security of their systems and keep their SSH servers secure.

‍