Botnet Bruteforces Over 1.5 million RDP Servers Globally

A botnet has been discovered attempting to bruteforce its way into over 1.5 million Remote Desktop Protocol (RDP) servers exposed to the Internet.

The botnet, named GoldBrute, was discovered by security researcher Renato Marinho of Morphus Labs, and affects RDP servers around the world.

"Shodan lists about 2.4 million exposed servers. GoldBrute uses its own list and is extending it as it continues to scan and grow," said Marinho. "The botnet is using a single command and control server, with bots exchanging data with the C2 via AES encrypted WebSocket connections to port 8333."

Infected systems are first instructed to download the bot code, which includes the complete Java Runtime. The bot itself is implemented in a Java class called GoldBrute.

"Initially, the bot scans random IP addresses to find more hosts with exposed RDP servers," said Marinho. "These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot."

Rather sneakily, each bot only tries one particular username and password per target. Because each authentication attempt comes from a different address, it avoids detection by security tools designed to prevent brute force attacks.

In the wake of the recent "Bluekeep" vulnerability (CVE-2019-0708) discovery, which is still 'out there', Microsoft and the NSA have issued warnings urging users to apply security updates as soon as possible.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.