GoldBrute botnet targeting Windows RDP systems in brute force hacking spree

More than 1.5 million unique IP addresses have been compromised with the figure only expected to rise

Hackers have deployed a botnet that's actively targeting systems running a remote desktop protocol (RDP) connection using a hard-to-detect brute-forcing mechanism.

A security researcher has discovered that more than 1.5 million RDP endpoints have so far been compromised by a botnet dubbed GoldBrute and that this figure is only expected to rise.

It highlights that brute-forcing still remains a dangerous method of attack, despite recent widespread attention given to the critical Windows Bluekeep vulnerability.

This was revealed last month as a remote desktop service (RDS), remote code execution (RCE) and RDP flaw that could allow attackers to run arbitrary malicious code on older Windows systems.

The brute-forcing botnet, by contrast, has been scouring the web for exposed RDP servers and is taking advantage of inadequate passwords to build a network of hacked endpoints, according to Morphus Labs' chief research officer Renato Marinho.

"RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability," he said.

"While the reporting around this 'Bluekeep' vulnerability focused on patching vulnerable servers, exposing RDP to the internet has never been a good idea.

"Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them."

A system breached by GoldBrute will first be instructed to download an 80MB-sized ZIP file that contains the malware strain. This programme then scans random IP addresses to find potential hosts with exposed RDP servers that aren't already listed on the main GoldBrute directory of known endpoints.

After finding 80 new endpoints, the malware sends this list of IP addresses to a single remote command and control (C&C) server. The infected system, in turn, receives a list of IP addresses to brute-force.

Crucially, there is only one attempt to crack each IP address listed, with a single username and password combination.

This is a possible strategy, according to Marinho, to "fly under the radar of security tools", because each authentication attempt comes from different addresses. It means GoldBrute's hacking attempts are difficult to detect by a range of security systems deployed by businesses.

The successful username and password combinations are then fed back into the C&C server where the attackers behind GoldBrute will have access to them.

After analysing GoldBrute code and trying to understand its mechanics, Marinho's team received 2.1 million IP addresses, of which 1,596,571 were unique. They then plotted these addresses onto a global map, with South Korea a clear hotspot for attacks, followed by other parts of Asia as well as sites in the US, central Europe, and the UK.

Meanwhile, in light of the Bluekeep threat plaguing legacy Windows systems, the National Cyber Security Centre (NCSC) has reiterated advice to businesses to apply Microsoft's latest security patches as soon as possible.

Organisations should also focus on external-facing RDP services, critical servers such as domain controllers and management servers, as well as non-critical servers but those with RDP enabled.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021