GoldBrute botnet targets Windows RDP systems – update security patches now!

Posted: Friday, June 28, 2019

Author: Robert Ward

A malicious botnet has compromised more than 1.5 million unique IP addresses after actively targeting systems running a remote desktop protocol (RDP) connection. Using a hard-to-detect brute-forcing mechanism, the botnet named GoldBrute, has been scouring the web for exposed RDP servers and is taking advantage of inadequate passwords to build a network of hacked endpoints.

Once a system is breached by GoldBrute, it is instructed to download a ZIP file that contains malware. This programme then scans random IP addresses to find potential hosts with exposed RDP servers that aren’t already listed on the main GoldBrute directory of known endpoints. After finding 80 new endpoints, the malware sends this list of IP addresses to a single remote command and control (C&C) server. The infected system, in turn, receives a list of IP addresses to brute-force. Crucially, there is only one attempt to crack each IP address listed, with a single username and password combination, which is believed to be a way to evade detection by security systems. Successful username and password combinations are fed back into the command and control server where they can be accessed by the attackers.

The National Cyber Security Centre (NCSC) has reiterated advice to business to apply Microsoft’s latest security patches as soon as possible.

Our web site uses cookies, including Google Analytics cookies, to better understand how you use our site. Read our Cookie Policy for more information including Google Options. By using our web site you accept our use of cookies as detailed in our Cookie Policy.