Adversary Intelligence
9
mins read

BidenCash Business Expansion: SSH Server Access Now Available on Dark Web

BidenCash, a notorious marketplace for selling leaked credit card information, has expanded its services by offering SSH access to buyers for as low as $2. This new offering can have severe consequences for cybersecurity.

Bablu Kumar
May 16, 2023
Green Alert
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Rishika Desai

Introduction

BidenCash, a carding marketplace infamous for selling leaked credit card information, has gained significant traction since its launch in April 2022. The marketplace has recently ventured into a new area by offering SSH services to buyers for as low as USD 2. The impact of these offerings can be severe as threat actors can launch cyber attacks with the powerful processing capabilities of the servers.

In October 2022, the first dataset of 1.2 million credit cards was leaked. The datasets involved sensitive information such as Personally Identifiable Information (PII) and Social Security Numbers (SSNs) along with card details, and CVV codes. As a result, the marketplace quickly grew in popularity and experienced a significant increase in monthly visitors where February 2023 saw the highest number of visitors due to its latest release of 2 million unique credit card data in February 2023.

BidenCash's New Venture: Selling SSH Access 

In the latter part of last week, CloudSEK noticed a slight deviation from the primary business model of BidenCash, which involves selling leaked credit card information. The marketplace appears to have ventured into a new area of selling SSH access to interested buyers.

Advertisement post on the forum

As per the advertisement on a Russian-speaking underground forum, the key features provided by BidenCash ensure a smooth and efficient experience for those interested in purchasing SSH access through BidenCash. The offerings include:

 

  • Shell presence check: To ensure the presence of a shell on the target server
  • CPU and RAM information: To provide information about the server's processing power
  • Server flag information: To check for the presence of known vulnerabilities or exploits
  • Socks5 port availability check: To check if the server supports the Socks5 protocol
  • Geolocation check: To confirm the server's location
  • Checking IP addresses against blacklists Spamhaus, Sorbs.net, Spamcop, SouthKoreanNBL,

Barracuda BBL: To ensure the server's IP address is not blacklisted

  • Available filtering options include filters based on geography, architecture, presence of a shell, availability of socks5, username, etc.
  • Validity check before issuing SSH access: To guarantee the absence of dead accesses.

Different offerings based on the type of SSH servers

The advertisement also encourages other threat actors to join forces in order to expand this venture. BidenCash receives 30% in commission for each sale offered on the website. 

Commission received by BidenCash for each sale

Also Read Custom malware Kaiji targets IoT devices via SSH brute forcing

Based on this new offering, various existing sellers on different dark web forums can also begin their venture into gathering SSH accesses to monetize maximum from the marketplace. By listing their accesses on Bidencash, the threat actors can escape the negotiations cycle and traps set by security researchers on the forums.

Threat actors advertising SSH access on the same cybercrime forum where Bidencash listed their new offering

Analysis of BidenCash's SSH Inventory and Potential Earnings

After analyzing BidenCash's SSH inventory over the past five days, we've discovered that they've listed over 850 SSH servers with varying architecture, CPU configurations, and countries, among other things. The prices for these servers range from $2 (lowest) to $10 (highest).

SSH Servers from the most affected countries

Based on our rough calculations, if all 850 listed cards are sold, sellers on the marketplace stand to make an average of $3,570 every five days (or $21,420 every month), while BidenCash itself would receive $1,530 (or $9,180 every month) in commission. However, given the popularity of BidenCash, we anticipate at least a 3-fold increase in the number of listings on the marketplace that can attract more potential buyers over time.

Vouch for the Service

With the launch of the new SSH offering, threat actors have already started vouching for it on various dark web forums. Given the popularity and reputation of BidenCash in the underground market, it is highly likely that many cybercriminals may have already started purchasing these illegitimate offerings to conduct nefarious activities.

Threat actors vouching for the new SSH service

Long-term Impact

The SSH servers being offered on the BidenCash marketplace are not only cheap but also come with varying CPU configurations and processing powers. Some of the servers with admin-level or root-level access are available for as low as $10, equipped with powerful hardware specifications. We have observed some of the most powerful servers on the marketplace with 196GB RAM and 104 CPU cores.

This poses a significant risk as threat actors can leverage this power to conduct a wide range of malicious activities, such as data exfiltration, brute force and ransomware attacks, and cryptocurrency mining. Moreover, they can launch large-scale DDoS attacks to disrupt services at private and government organizations, causing significant damage to their operations and reputation.

Conclusion

With the ability to purchase powerful servers while maintaining anonymity, cyber attacks can be very difficult to thwart. The availability of SSH servers on marketplaces such as BidenCash can increase the scope and scale of attacks, making it imperative for organizations to ensure the security of their systems and keep their SSH servers secure.

Author

Bablu Kumar

Bablu is a technology writer and an analyst with a strong focus on all things cybersecurity

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
October 10, 2024

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Blog Image
Adversary Intelligence
July 22, 2024

Telegram Bots Masquerade as Digital Wallet Brands to push Referral Reward Scams to Indonesian Customers

In Indonesia, scammers are using Telegram bots to impersonate digital wallet brands, promoting fake referral reward schemes. These scams deceive users into sharing their account details, leading to significant financial losses. Discover the full details and protective measures in CloudSEK's comprehensive blog report.

Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

9

min read

BidenCash Business Expansion: SSH Server Access Now Available on Dark Web

BidenCash, a notorious marketplace for selling leaked credit card information, has expanded its services by offering SSH access to buyers for as low as $2. This new offering can have severe consequences for cybersecurity.

Authors
Bablu Kumar
Bablu is a technology writer and an analyst with a strong focus on all things cybersecurity
Co-Authors
Rishika Desai

Introduction

BidenCash, a carding marketplace infamous for selling leaked credit card information, has gained significant traction since its launch in April 2022. The marketplace has recently ventured into a new area by offering SSH services to buyers for as low as USD 2. The impact of these offerings can be severe as threat actors can launch cyber attacks with the powerful processing capabilities of the servers.

In October 2022, the first dataset of 1.2 million credit cards was leaked. The datasets involved sensitive information such as Personally Identifiable Information (PII) and Social Security Numbers (SSNs) along with card details, and CVV codes. As a result, the marketplace quickly grew in popularity and experienced a significant increase in monthly visitors where February 2023 saw the highest number of visitors due to its latest release of 2 million unique credit card data in February 2023.

BidenCash's New Venture: Selling SSH Access 

In the latter part of last week, CloudSEK noticed a slight deviation from the primary business model of BidenCash, which involves selling leaked credit card information. The marketplace appears to have ventured into a new area of selling SSH access to interested buyers.

Advertisement post on the forum

As per the advertisement on a Russian-speaking underground forum, the key features provided by BidenCash ensure a smooth and efficient experience for those interested in purchasing SSH access through BidenCash. The offerings include:

 

  • Shell presence check: To ensure the presence of a shell on the target server
  • CPU and RAM information: To provide information about the server's processing power
  • Server flag information: To check for the presence of known vulnerabilities or exploits
  • Socks5 port availability check: To check if the server supports the Socks5 protocol
  • Geolocation check: To confirm the server's location
  • Checking IP addresses against blacklists Spamhaus, Sorbs.net, Spamcop, SouthKoreanNBL,

Barracuda BBL: To ensure the server's IP address is not blacklisted

  • Available filtering options include filters based on geography, architecture, presence of a shell, availability of socks5, username, etc.
  • Validity check before issuing SSH access: To guarantee the absence of dead accesses.

Different offerings based on the type of SSH servers

The advertisement also encourages other threat actors to join forces in order to expand this venture. BidenCash receives 30% in commission for each sale offered on the website. 

Commission received by BidenCash for each sale

Also Read Custom malware Kaiji targets IoT devices via SSH brute forcing

Based on this new offering, various existing sellers on different dark web forums can also begin their venture into gathering SSH accesses to monetize maximum from the marketplace. By listing their accesses on Bidencash, the threat actors can escape the negotiations cycle and traps set by security researchers on the forums.

Threat actors advertising SSH access on the same cybercrime forum where Bidencash listed their new offering

Analysis of BidenCash's SSH Inventory and Potential Earnings

After analyzing BidenCash's SSH inventory over the past five days, we've discovered that they've listed over 850 SSH servers with varying architecture, CPU configurations, and countries, among other things. The prices for these servers range from $2 (lowest) to $10 (highest).

SSH Servers from the most affected countries

Based on our rough calculations, if all 850 listed cards are sold, sellers on the marketplace stand to make an average of $3,570 every five days (or $21,420 every month), while BidenCash itself would receive $1,530 (or $9,180 every month) in commission. However, given the popularity of BidenCash, we anticipate at least a 3-fold increase in the number of listings on the marketplace that can attract more potential buyers over time.

Vouch for the Service

With the launch of the new SSH offering, threat actors have already started vouching for it on various dark web forums. Given the popularity and reputation of BidenCash in the underground market, it is highly likely that many cybercriminals may have already started purchasing these illegitimate offerings to conduct nefarious activities.

Threat actors vouching for the new SSH service

Long-term Impact

The SSH servers being offered on the BidenCash marketplace are not only cheap but also come with varying CPU configurations and processing powers. Some of the servers with admin-level or root-level access are available for as low as $10, equipped with powerful hardware specifications. We have observed some of the most powerful servers on the marketplace with 196GB RAM and 104 CPU cores.

This poses a significant risk as threat actors can leverage this power to conduct a wide range of malicious activities, such as data exfiltration, brute force and ransomware attacks, and cryptocurrency mining. Moreover, they can launch large-scale DDoS attacks to disrupt services at private and government organizations, causing significant damage to their operations and reputation.

Conclusion

With the ability to purchase powerful servers while maintaining anonymity, cyber attacks can be very difficult to thwart. The availability of SSH servers on marketplaces such as BidenCash can increase the scope and scale of attacks, making it imperative for organizations to ensure the security of their systems and keep their SSH servers secure.