silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,159
A botnet has appeared that has attempted to brute-force 1.5 million RDP connections to Windows systems in the last few days — and counting.
While everyone’s talking about the BlueKeep Mega-Worm, this is not the main monster to fear, according to recent web attack activity. Rather, a researcher is warning that the GoldBrute botnet poses the greatest threat to Windows systems right now.
In the past few days, GoldBrute (named after the Java class it uses) has attempted to brute-force Remote Desktop Protocol (RDP) connections for 1.5 million Windows systems and counting, according to Morphus Labs chief research officer Renato Marinho. The botnet is actively scanning the internet for machines with RDP exposed, and trying out weak or reused passwords to see if it can gain access to the systems.
After initially spotting the activity earlier this week, “after six hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique,” Marinho wrote in a posting on Thursday, adding that the botnet continues to swell in size (though he didn’t quantify it). There are plenty of hosts to be had: Shodan reveals nearly 2.5 million exposed RDP instances as of this writing.
The danger could be extensive — RDP is used by tech support and IT admins to connect to and interact with machines remotely; it’s also sometimes used by teleworking employees. Once an attacker has access to the connection, he or she has access to the Windows desktop and can set about doing anything the legitimate user would have permission to do. Obviously, pivoting into corporate networks, implanting malware, stealing information, and marshaling CPU resources for cryptomining or distributed denial-of-service attacks could all be on the cyberattack menu du jour for the GoldBrute operators.
GoldBrute Botnet Brute Forcing 1.5 Million RDP Servers
RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability…
morphuslabs.com