Change Your Weak Server Passwords ASAP If You Do Not Want to Face GoldBrute

GoldBrute RDP Brute-Force Botnet

Those of you who have been interested in the online threat landscape for the last few years probably know what Microsoft's Remote Desktop Protocol (or RDP) is. You've seen it being used in more than a few large-scale ransomware attacks, for example, and you have also heard of a recently discovered security vulnerability that could allow remote code execution on RDP-enabled systems. CVE-2019-0708, also known as BlueKeep, is so dangerous, that Microsoft has released patches even for versions of Windows that are long out of support.

Although the patch has been out for close to a month now, researchers say that there are still more than a million hosts out there that have RDP on and can be exploited. At this point, there is no publicly accessible code that can successfully compromise the vulnerable systems, but experts have already confirmed that writing it is possible, and they argue that it's only a matter of time before the criminals catch up. If they do, the consequences could be more severe than the massive WannaCry outbreak from 2017 which is why even the NSA is advising system administrators to apply the May 2019 Patch Tuesday update and secure their networks. Last week, researchers from Morphus Labs found out that installing the patch isn't the only thing sysadmins must consider.

Who needs sophisticated exploits when you've got weak passwords?

As we mentioned already, RDP has been at the heart of more than a few cyberattacks in recent years, and the latest one seems to come in the form of the GoldBrute botnet, which, unlike BlueKeep, has been spotted in the wild and is actually pretty active.

The researchers managed to get hold of a sample, and although they are not able to say how many endpoints GoldBrute has affected thus far, they did some careful analysis and figured out that in total, the crooks want to compromise around 1.5 million hosts that have RDP enabled. There is no clever security vulnerability or sophisticated exploitation involved, though. As its name suggests, GoldBrute cracks open RDP endpoints using the old-but-gold brute-force attack.

GoldBrute might not be the most advanced threat, but it's hardly a script kiddie's plaything

At the moment, GoldBrute's functionality seems to be limited to scanning for and recruiting new bots. Generally speaking, the brute-force attack is considered to be one of the cruder weapons in the hackers' arsenal. That being said, the way GoldBrute's operators have implemented it is rather clever.

After the RDP login credentials of a victim are successfully guessed, GoldBrute downloads, extracts, and runs the bot code. The first step is to scan some random IPs in order to find more RDP hosts that can be compromised. The bot collects a list of eighty potential targets and sends it back to the Command & Control (C&C) server. The C&C then instructs the bot to try and brute-force a different set of IPs.

The interesting thing about GoldBrute is that each bot will try only one username and password combination per target. This means that the multiple failed login attempts come from many different IPs and are therefore less likely to trigger automatic lockout mechanisms or raise suspicion.

It's time to change your weak passwords

The people abusing RDP come from all ends of the cybercrime spectrum. The crooks that will finally come up with an in-the-wild exploitation that involves BlueKeep will most likely be very sophisticated and highly motivated. Meanwhile, while they're not script kiddies, GoldBrute's operators are hardly the most advanced group of hackers the world has ever seen. Yet, protecting your PCs and servers against them is just as important.

If you don't need to use RDP on a regular basis, disable the service and close all networking ports associated with it. If you do need it, protect it with a strong password and consider adding a multi-factor authentication system to ensure that your login credentials aren't the single point of failure for your entire network.

June 11, 2019

Leave a Reply