GoldBrute Campaign Brute Forces 1.6m RDP Servers

Written by

Researchers have uncovered a large brute forcing campaign targeting upwards of 1.5 million remote desktop protocol (RDP) servers.

Renato Marinho, chief research officer at Morphus Labs, revealed the so-called “GoldBrute” campaign is controlled by a single C&C server, with which bots are exchanging data via AES encrypted WebSocket connections to port 8333.

Infected hosts will first be given instructions to download the bot code: a large, 80MB including the complete Java Runtime.

“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot,” Marinho continued.

“Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.”

Marinho claimed to have detected almost 1.6m targeted IP addresses from the C&C server — spread out across the world but located especially in Europe, the US and east Asia.

The news is a reminder that, despite the publicity around the Bluekeep RDP vulnerability, brute forcing is arguably a bigger threat today to administrators of these systems.

The NSA last week urged organizations to patch the remote code execution bug, CVE-2019-0708, warning that it could be wormable as it requires no human interaction to spread. Although exploitation has not yet been observed in the wild, it’s only a matter of time, experts claimed.

However, in the meantime, GoldBrute appears to be only just getting started.

“Shodan lists about 2.4 million exposed servers,” said Marinho. “GoldBrute uses its own list and is extending it as it continues to scan and grow.”

What’s hot on Infosecurity Magazine?