GoldBrute botnet targeting Windows RDP systems in brute force hacking spree

More than 1.5 million unique IP addresses have been compromised with the figure only expected to rise

Hackers have deployed a botnet that's actively targeting systems running a remote desktop protocol (RDP) connection using a hard-to-detect brute-forcing mechanism.

A security researcher has discovered that more than 1.5 million RDP endpoints have so far been compromised by a botnet dubbed GoldBrute and that this figure is only expected to rise.

It highlights that brute-forcing still remains a dangerous method of attack, despite recent widespread attention given to the critical Windows Bluekeep vulnerability.

This was revealed last month as a remote desktop service (RDS), remote code execution (RCE) and RDP flaw that could allow attackers to run arbitrary malicious code on older Windows systems.

The brute-forcing botnet, by contrast, has been scouring the web for exposed RDP servers and is taking advantage of inadequate passwords to build a network of hacked endpoints, according to Morphus Labs' chief research officer Renato Marinho.

"RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability," he said.

"While the reporting around this 'Bluekeep' vulnerability focused on patching vulnerable servers, exposing RDP to the internet has never been a good idea.

"Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them."

A system breached by GoldBrute will first be instructed to download an 80MB-sized ZIP file that contains the malware strain. This programme then scans random IP addresses to find potential hosts with exposed RDP servers that aren't already listed on the main GoldBrute directory of known endpoints.

After finding 80 new endpoints, the malware sends this list of IP addresses to a single remote command and control (C&C) server. The infected system, in turn, receives a list of IP addresses to brute-force.

Crucially, there is only one attempt to crack each IP address listed, with a single username and password combination.

This is a possible strategy, according to Marinho, to "fly under the radar of security tools", because each authentication attempt comes from different addresses. It means GoldBrute's hacking attempts are difficult to detect by a range of security systems deployed by businesses.

The successful username and password combinations are then fed back into the C&C server where the attackers behind GoldBrute will have access to them.

After analysing GoldBrute code and trying to understand its mechanics, Marinho's team received 2.1 million IP addresses, of which 1,596,571 were unique. They then plotted these addresses onto a global map, with South Korea a clear hotspot for attacks, followed by other parts of Asia as well as sites in the US, central Europe, and the UK.

Meanwhile, in light of the Bluekeep threat plaguing legacy Windows systems, the National Cyber Security Centre (NCSC) has reiterated advice to businesses to apply Microsoft's latest security patches as soon as possible.

Organisations should also focus on external-facing RDP services, critical servers such as domain controllers and management servers, as well as non-critical servers but those with RDP enabled.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first
Technology

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021