Posted: Friday, June 28, 2019
A malicious botnet has compromised more than 1.5 million unique IP addresses after actively targeting systems running a remote desktop protocol (RDP) connection. Using a hard-to-detect brute-forcing mechanism, the botnet named GoldBrute, has been scouring the web for exposed RDP servers and is taking advantage of inadequate passwords to build a network of hacked endpoints.
Once a system is breached by GoldBrute, it is instructed to download a ZIP file that contains malware. This programme then scans random IP addresses to find potential hosts with exposed RDP servers that aren’t already listed on the main GoldBrute directory of known endpoints. After finding 80 new endpoints, the malware sends this list of IP addresses to a single remote command and control (C&C) server. The infected system, in turn, receives a list of IP addresses to brute-force. Crucially, there is only one attempt to crack each IP address listed, with a single username and password combination, which is believed to be a way to evade detection by security systems. Successful username and password combinations are fed back into the command and control server where they can be accessed by the attackers.
The National Cyber Security Centre (NCSC) has reiterated advice to business to apply Microsoft’s latest security patches as soon as possible.