GoldBrute botnet targeting Windows RDP systems in brute force hacking spree

Hackers have deployed a botnet that's actively targeting systems running a remote desktop protocol (RDP) connection using a hard-to-detect brute-forcing mechanism.

A security researcher has discovered that more than 1.5 million RDP endpoints have so far been compromised by a botnet dubbed GoldBrute and that this figure is only expected to rise.

It highlights that brute-forcing still remains a dangerous method of attack, despite recent widespread attention given to the critical Windows Bluekeep vulnerability.

This was revealed last month as a remote desktop service (RDS), remote code execution (RCE) and RDP flaw that could allow attackers to run arbitrary malicious code on older Windows systems.

The brute-forcing botnet, by contrast, has been scouring the web for exposed RDP servers and is taking advantage of inadequate passwords to build a network of hacked endpoints, according to Morphus Labs' chief research officer Renato Marinho.

"RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability," he said.

"While the reporting around this 'Bluekeep' vulnerability focused on patching vulnerable servers, exposing RDP to the internet has never been a good idea.

"Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them."

A system breached by GoldBrute will first be instructed to download an 80MB-sized ZIP file that contains the malware strain. This programme then scans random IP addresses to find potential hosts with exposed RDP servers that aren't already listed on the main GoldBrute directory of known endpoints.

After finding 80 new endpoints, the malware sends this list of IP addresses to a single remote command and control (C&C) server. The infected system, in turn, receives a list of IP addresses to brute-force.

Crucially, there is only one attempt to crack each IP address listed, with a single username and password combination.

This is a possible strategy, according to Marinho, to "fly under the radar of security tools", because each authentication attempt comes from different addresses. It means GoldBrute's hacking attempts are difficult to detect by a range of security systems deployed by businesses.

The successful username and password combinations are then fed back into the C&C server where the attackers behind GoldBrute will have access to them.

After analysing GoldBrute code and trying to understand its mechanics, Marinho's team received 2.1 million IP addresses, of which 1,596,571 were unique. They then plotted these addresses onto a global map, with South Korea a clear hotspot for attacks, followed by other parts of Asia as well as sites in the US, central Europe, and the UK.

Meanwhile, in light of the Bluekeep threat plaguing legacy Windows systems, the National Cyber Security Centre (NCSC) has reiterated advice to businesses to apply Microsoft's latest security patches as soon as possible.

Organisations should also focus on external-facing RDP services, critical servers such as domain controllers and management servers, as well as non-critical servers but those with RDP enabled.