Security researchers have discovered a new botnet that has been attacking Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet.

Discovered by Renato Marinho of Morphus Labs, the researcher says the botnet has been seen attacking 1,596,571 RDP endpoints, a number that will most likely rise in the coming days.

Named GoldBrute, the botnet works as follows:

Botnet brute-forces and gain access to a Windows system via RDP. Downloads a ZIP file with the GoldBrute malware code. Scans the internet new RDP endpoints that are not part of the main GoldBrute list of RDP endpoints. After it finds 80 new RDP endpoints, it sends the list of IP addresses to its remote command-and-control server. Infected host receives a list of IP addresses to brute force. For each IP address, there's only one username and password the bot must try to authenticate with. Each GoldBrute bot gets a different username&password combo. Bot performs brute-force attack and reports result back to C&C server.

Image: Renato Marinho; Morphus Labs; via SANS ISC

GoldBrute botnet growing in size

It is currently unclear how large the GoldBrute botnet really is. What is known is that the botnet's list of "brutable" RDP targets has grown in size over the past few days as it slowly found new RDP endpoints to launch attacks against.

This growth of the GoldBrute master list of RDP targets also suggests an increase of its base of infected devices.

The bad news for companies and users running RDP endpoints exposed on the Internet is that the botnet is also difficult to detect and stop. This is because every GoldBrute-infected system only launches one password-guessing attempt per victim, preventing security systems that provide brute-force protection from kicking in.

BlueKeep overshadowed real danger

The discovery of the GoldBrute botnet has also highlighted that, currently, brute-force attacks remain the top threat for RDP systems exposed online.

Despite all the panic surrounding the looming threat of someone weaponizing the new BlueKeep RDP vulnerability, security researchers say that most RDP attacks today are classic brute-force attempts.

According to statistics released today by cyber threat intelligence firm Bad Packets, RDP scans for the BlueKeep vulnerability only account for 3.4% of all the malicious RDP traffic seen in the past week.

On the other hand, RDP brute-force attacks and attempts to exploit older RDP vulnerabilities account for 96.6%, showing that the conscious decision made by multiple security firms and security researchers to refrain from releasing a working BlueKeep exploit has been a good one.

RDP Detections – Last 7 Days

96.6% not BlueKeep

3.4% #BlueKeep related pic.twitter.com/gXBFqr9mlF — Bad Packets Report (@bad_packets) June 6, 2019

"The GoldBrute botnet activity indicates miscreants are still employing classical techniques of brute-forcing instead of exploiting BlueKeep to target RDP endpoints," Troy Mursch, Bad Packets founder, told ZDNet today.

Of course, just because hackers haven't figured out a way to exploit the BlueKeep vulnerability, it doesn't mean that companies can delay patching.

On the contrary; both Microsoft and the NSA have issued dire warnings urging users to apply security updates as soon as possible.

Related malware and cybercrime coverage: