A new botnet tracked as GoldBrute is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.
A new botnet tracked as GoldBrute has appeared in the threat landscape, it is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.
The botnet is currently targeting over 1.5 million unique endpoints online, it is used to brute-force RDP connections or to carry out credential stuffing attacks.
Querying the Shodan search engine for systems with RDP enabled it is possible to find roughly 2.4 million machines.
“An infected system will first be instructed to download the bot code. The download is very large (80 MBytes) and includes the complete Java Runtime. The bot itself is implemented in a Java class called GoldBrute” continues the expert.
“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot.”
Below the complete attack chain:
- Botnet brute-forces RDP connection and gains access to a poorly protected Windows system.
- It downloads a big zip archive containing the GoldBrute Java code and the Java runtime itself. It uncompresses and runs a jar file called “bitcoin.dll”.
- The bot will start to scan the internet for “brutable” RDP servers and send their IPs to the C2 that in turn sends a list of IP addresses to brute force.
- GoldBrute bot gets different “host + username + password” combinations.
- Bot performs brute-force attack and reports result back to C2 server.
According to the researcher, the list of “brutable” RDP targets is rapidly growing, this suggests that also the size of the botnet is increasing.
“Analyzing the GoldBrute code and understanding its parameters and thresholds, it was possible to manipulate the code to make it save all “host + username + password” combinations on our lab machine.” continues the expert.
“After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase. With the help of an ELK stack, it was easy to geolocate and plot all the addresses in a global world map, as shown below.”
The post New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers appeared first on Security Affairs.
- Defence Secretary Gavin Williamson sacked over Huawei leak
- Daily Telegraph publishes details of a meeting about using the Chinese telecoms firm to help build the UK's 5G network
- Huawei row: Inquiry to be held into National Security Council leak
- Is Huawei a Threat to UK National Security?
- What's the greater risk to UK 5G, Huawei backdoors or DDoS?
- Backdoors found in Huawei-supplied Vodafone equipment between 2011 and 2012
- Microsoft researchers find NSA-style backdoor in Huawei laptops
- 5G cyber-attack: What would be the effect on the UK?
- Huawei: Why UK is at odds with its cyber-allies
- NCSC: Huawei threat to national security
A survey by the NCSC concluded most UK users are still using weak passwords. Released just before CyberUK 2019 conference in Glasgow, which I was unable attend due work commitments, said the most common password on breached accounts was"123456", used by 23.2 million accounts worldwide. Next on the list was "123456789" and "qwerty", "password" and "1111111". Liverpool was the most common Premier League Football team used as a password, with Blink 182 the most common music act. The NCSC also published a separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. So password still remains the biggest Achilles' heel with our security.
The UK hacktivist threat came back to the fore this month, after the Anonymous Group took revenge on the UK government for arresting WikiLeaks founder Julian Assange, by attacking Yorkshire Councils. I am not sure what Yorkshire link with Assange actually is, but the website for Barnsley Council was taken down by a DDoS attack, a tweet from the group CyberGhost404 linked to the crashed Barnsley Council website and said "Free Assange or chaos is coming for you!". A tweet from an account called 'Anonymous Espana' with an image, suggested they had access to Bedale Council's confidential files, and were threatening to leak them.
Finally, but not lest, a great report by Recorded Future on the raise of the dark web business of credential stuffing, titled "The Economy of Credential Stuffing Attacks". The report explains how low-level criminals use automated 'checkers' tools to validate compromised credentials, before selling them on.
I am aware of school children getting sucked into this illicit world, typically starts with them seeking to take over better online game accounts after their own account is compromised, they quickly end up with more money than they can spend. Aside from keeping an eye on what your children are up to online as a parent, it goes to underline the importance of using unique complex passwords with every web account (use a password manager or vault to help you - see password security section on the Security Expert website). And always use Multi-Factor Authentication where available, and if you suspect or have are informed your account 'may' have compromised, change your password straight away.
- How Business can address the Security Concerns of Online Shoppers
- Third Party Security Risks to Consider and Manage
- Huawei to be given limited access to UK 5G Network
- The NCSC launches Cyber Security tool for UK Businesses and Authorities
- German Drug Manufacturer Beyer hit by Malware Attack originating from China
- Aebi Schmidt latest Manufacturer dealing with Ransomware Cyberattack
- 540M Facebook Member Records exposed by an Unsecure AWS S3 Bucket
- Microsoft will drop Password Expiration Policies in Windows 10 and in Windows Server
- 'Assange Supporters’ Claim to Hack Yorkshire Councils
- Hackers beat University Cyber-Defences in Two Hours
- App leaves over 2 Million WiFi Network Passwords Exposed on Open Database
- Two in Three Hotel Websites Leak Guest Booking Details and Allow Access to Personal Data
- Yahoo to pay £90M in latest settlement of Massive Breach
- Hackers nab emails and more in Microsoft Outlook, Hotmail, and MSN Compromise
- 4 in 5 IT Chiefs are delaying Security Patches to avoid Business Disruption
- A Public Database Exposed the Medical Records of 150,000 Rehab Patients
- Amnesty Intl. says Cyberattack on Hong Kong office appears linked to known APT group
- Cyber-Attacks ‘Damage’ National Infrastructure
- Microsoft Patches 75 Vulnerabilities, including 14 Critical for Windows, IE\Edge, Chakra and Adobe Flash
- Adobe Releases fixes 21 Vulnerabilities in Acrobat and Acrobat Reader
- Machines running popular AV software go unresponsive after Microsoft Windows update
- Apache Tomcat Vulnerability Results in Remote Code Execution
- Adobe’s Patch Tuesday includes Security Updates for Flash Player and AIR
- Attackers Exploit WordPress Zero Day following Disclosure
- WinRAR Exploit used by MuddyWater APT phishing gang
- ISC Patches Three Vulnerabilities in BIND
- Flawed P2P technology Threatens Millions of IoT Devices
- The Economy of Credential Stuffing Attacks
- ShadowHammer code Found in several Video Games
- Researchers uncover new ‘TajMahal’ APT framework, plus a new Gaza Cybergang malware campaign
- Baldr Stealer Malware Active in the Wild With ongoing Updates
- TA505 Targets Financial and Retail using 'Undetectable' Methods
- Lazarus Targets Mac Users With Malware
- Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure