Security researchers have discovered an ongoing sophisticated botnet campaign that is currently brute-forcing more than 1.5 million publicly accessible Windows RDP servers on the Internet.
Discovered by Renato Marinho of Morphus Labs, the researcher says the botnet has been seen attacking 1,596,571 RDP endpoints, a number that will most likely rise in the coming days.
To fly under the radar of security tools and malware analysts, attackers behind this campaign command each infected machine to target millions of servers with a unique set of username and password combination so that a targeted server receives brute force attempts from different IP addresses.
Named GoldBrute, the botnet works as follows:
- Botnet brute-forces and gain access to a Windows system via RDP.
- Downloads a ZIP file with the GoldBrute malware code.
- Scans the internet new RDP endpoints that are not part of the main GoldBrute list of RDP endpoints.
- After it finds 80 new RDP endpoints, it sends the list of IP addresses to its remote command-and-control server.
- Infected host receives a list of IP addresses to brute force. For each IP address, there’s only one username and password the bot must try to authenticate with. Each GoldBrute bot gets a different username&password combo.
- Bot performs brute-force attack and reports result back to C&C server.
At this moment, it is unclear exactly how many RDP servers have already been compromised and participating in the brute force attacks against other RDP servers on the Internet.
The bad news for companies and users running RDP endpoints exposed on the Internet is that the botnet is also difficult to detect and stop. This is because every GoldBrute-infected system only launches one password-guessing attempt per victim, preventing security systems that provide brute-force protection from kicking in.
Dubbed BlueKeep, the patched vulnerability (CVE-2019-0708) is a wormable flaw that could allow remote attackers to take control of RDP servers and if successfully exploited, could cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.