GoldBrute attempts to brute-force millions of RDP connections
In a few days, GoldBrute, named after the Java class it uses, attempted to brute-force Remote Desktop Protocol ( RDP ) connections for 1.5 million Windows systems and counting. According to Morphus Labs chief research officer Renato Marinho, the botnet is actively scanning the internet for machines with RDP exposed, and trying out weak or reused passwords to see if it can gain access to the systems. In six hours, researchers received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. There are plenty of hosts to be had, nearly 2.5 million exposed RDP instances.
The damage could be extensive, RDP is used by tech support and IT admins to connect to and interact with machines remotely. It's also sometimes used by teleworking employees. Once a hacker has access to the connection, they have access to the Windows desktop and can set about doing anything the legitimate user would have permission to do. In corporate networks, implanting malware, stealing information, and marshaling CPU resources for cryptomining or distributed denial-of-service attacks could all be on the cyberattack menu du jour for the GoldBrute operators.
It turns out that the GoldBrute botnet is controlled by a single command-and-control (C2) server, associated with an IP address in New Jersey. These adversaries could in theory carry all of the aforementioned attacks out on a large scale, all at once. According to the researcher, the C2 is exchanging data with the bots via AES-encrypted WebSocket connections to port 8333. An infected system will first be instructed to download the bot code, which is a very large 80MB package that includes the complete Java Runtime. After that, it starts scanning random IP addresses to find more hosts, and reporting the IP addresses back to the C2.
After the bot reports 80 new victims, the C2 server will assign a set of targets to brute-force to the bot. Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools, as each authentication attempt comes from different addresses. While the reporting around this Bluekeep vulnerability focused on patching vulnerable servers, exposing RDP to the internet has never been a good idea.
The BlueKeep critical remote code-execution vulnerability ( CVE-2019-0708 ), for which a fully functioning exploit has been developed, also opens remote desktop services for attack. It's seen as the next big corporate threat, because it's wormable and requires no user interaction to spread. That's prompted the National Security Agency to warn of a potential WannaCry-level event.
GoldBrute highlights the fact that the bulk of scanning activity for RDP isn't BlueKeep related when hackers can just bypass locked screens or guess weak RDP credentials, IT departments need to focus on making sure machines are not exposing RDP on the internet. Adding a layer in between, such as a VPN, would help. Patching the BlueKeep flaw, which affects older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2, should also be on the top of the to-do list. Millions of systems remain vulnerable to it.