GoldBrute botnet targeting Windows RDP systems in brute force hacking spree

More than 1.5 million unique IP addresses have been compromised with the figure only expected to rise

Botnet graphic

Hackers have deployed a botnet that's actively targeting systems running a remote desktop protocol (RDP) connection using a hard-to-detect brute-forcing mechanism.

A security researcher has discovered that more than 1.5 million RDP endpoints have so far been compromised by a botnet dubbed GoldBrute and that this figure is only expected to rise.

It highlights that brute-forcing still remains a dangerous method of attack, despite recent widespread attention given to the critical Windows Bluekeep vulnerability.

This was revealed last month as a remote desktop service (RDS), remote code execution (RCE) and RDP flaw that could allow attackers to run arbitrary malicious code on older Windows systems.

The brute-forcing botnet, by contrast, has been scouring the web for exposed RDP servers and is taking advantage of inadequate passwords to build a network of hacked endpoints, according to Morphus Labs' chief research officer Renato Marinho.

"RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability," he said.

"While the reporting around this 'Bluekeep' vulnerability focused on patching vulnerable servers, exposing RDP to the internet has never been a good idea.

"Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them."

A system breached by GoldBrute will first be instructed to download an 80MB-sized ZIP file that contains the malware strain. This programme then scans random IP addresses to find potential hosts with exposed RDP servers that aren't already listed on the main GoldBrute directory of known endpoints.

After finding 80 new endpoints, the malware sends this list of IP addresses to a single remote command and control (C&C) server. The infected system, in turn, receives a list of IP addresses to brute-force.

Crucially, there is only one attempt to crack each IP address listed, with a single username and password combination.

This is a possible strategy, according to Marinho, to "fly under the radar of security tools", because each authentication attempt comes from different addresses. It means GoldBrute's hacking attempts are difficult to detect by a range of security systems deployed by businesses.

The successful username and password combinations are then fed back into the C&C server where the attackers behind GoldBrute will have access to them.

After analysing GoldBrute code and trying to understand its mechanics, Marinho's team received 2.1 million IP addresses, of which 1,596,571 were unique. They then plotted these addresses onto a global map, with South Korea a clear hotspot for attacks, followed by other parts of Asia as well as sites in the US, central Europe, and the UK.

Meanwhile, in light of the Bluekeep threat plaguing legacy Windows systems, the National Cyber Security Centre (NCSC) has reiterated advice to businesses to apply Microsoft's latest security patches as soon as possible.

Organisations should also focus on external-facing RDP services, critical servers such as domain controllers and management servers, as well as non-critical servers but those with RDP enabled.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020