A security researcher has discovered a botnet that has attempted to bruteforce access to over 1.5 million RDP servers around the world.
According to a blog post by Renato Marinho of Morphus Labs, the botnet, dubbed GoldBrute, has been found to scan the internet for Windows systems with Remote Desktop Protocol (RDP) connection enabled. The botnet then carries out brute-force RDP connections or credential stuffing attacks.
"This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet. Shodan lists about 2.4 million exposed servers. GoldBrute uses its own list and is extending it as it continues to scan and grow," said Marinho.
The botnet is using a single command and control server (104[.]156[.]249[.]231), with bots exchanging data with the C2 via AES encrypted WebSocket connections to port 8333.
A search on Shodan on systems with RDP enabled unearths around 2.4 million systems.
"An infected system will first be instructed to download the bot code. The download is very large (80 MBytes) and includes the complete Java Runtime. The bot itself is implemented in a Java class called GoldBrute," said Marinho.
"Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot."
The researcher said that once he attacker successfully brute-force an RDP target, it downloads a big zip archive containing the GoldBrute Java code and the Java runtime itself. After uncompressing, it then runs a jar file called "bitcoin.dll".
"The "dll" extension is possible to disguise unsuspecting users, but I suspect the "bitcoin" part call more attention than a ".jar" extension would," he said.
Next, the new bot will start to scan the internet for open RDP servers they call "brutable"’ which are sent to the C2 server through WebSocket connection. Once the bot reaches 80 brutable RDP servers, it starts the brute-force phase.
In the brute-force phase, the bot will continually receive and brute-force "host + username + password" combinations. In the end, the attacker/group behind GoldBrute will have access to all valid combinations.
After six hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase. With the help of an ELK stack, it was easy to geolocate and plot all the addresses in a global world map, as shown below," he said.
Matthew Aldridge, senior solutions architect at Webroot, told SC Media UK that even lesser-skilled criminals can simply buy RDP access to already-hacked machines on the dark web.
"An attacker with access can then easily disable endpoint protection or leverage exploits to allow their malicious payloads to execute. There are a variety of payload options available to the criminal for extracting profit from the victim as well," he said.
"This case highlights yet again the dangers of directly presenting RDP services to the internet. So many times, we have seen brute force attacks being successful against this protocol and opening organisations up for rampant and repeated ransomware attacks. Such exposure should be absolutely avoided. This really is another nail in the coffin for anyone continuing to think that presenting such services publicly is a good idea."
Adam Brown, manager of security solutions at Synopsys, told SC Media UK that firms should ask themselves if they should even have RDP exposed on the internet, as this can simply be down to misconfiguration, due to lack of policy, inadequate standards or even rushed setup.
"RDP is particularly interesting to hackers due to the level of access it gives to the target machine – if the attacker breaks into a server via RDP they can be presented with a windows desktop and therefore full control of the machine. RDP can be protected with the correct mitigating controls applied based on risk. For example limiting network access, using VPN’s or SSH tunnels with proper account and credential management, or the use of RDP gateways," he said.