• GoldBrute - The Enemy of RDP

GoldBrute – The Enemy of RDP

Hardly a month goes by without new reports on attacks exploiting vulnerable password-based authentication systems. Earlier this month, analysts at Morhus Labs discovered a malicious bot campaign they named GoldBrute.

Mode of Attack

GoldBrute is a botnet that aims to hack Remote Desktop Protocols (RDP) that have weak credentials. The bot scans through IPs from a list of 1.5M RDP servers exposed to the internet and uses a form of credential stuffing to gain illicit access.

To avoid detection, GoldBrute is programmed to try one username/ password combination from a given IP address. This is almost certainly done to avoid setting off security controls.

It should be noted, that once an attacker has access to the RDP server, he has full access to its Windows host. Anything the legitimate user would have permission to do can now be executed remotely by the hacker. (see image below by morphuslabs.com)

According to Morphus Labs, the GoldBrute campaign has been running strong since at least early June. At its current rate of infection,  GoldBrute will have access to millions of RDP machines.
Godbrute process - Secret Double Octopus

Threat Number One

Two things make GoldBrute interesting malware. First, it is a ‘wormable’ bot, which means it can propagate from one computer to another indefinitely. Second, GoldBrute requires no user interaction to spread. Once a machine is infected, it becomes a tool in the hands of hackers totally unbeknownst to the owners.

The appearance of the BlueKeep ‘Mega-Worm’ earlier this month offered a timely preview for GoldBrute, which researchers consider even more effective in its ability to identify and infect machines. GoldBrute is currently considered a serious threat to Windows machines.

Passwordless authentication Banner - Secret Double Octopus

RDP: The Fatal Flaw

GoldBrute is not the first time RDP has come up as a serious security vulnerability.  Remote access has for long been a major point of weakness for IT, administrators, to contend with.

RDP is used extensively. Tech support and IT managers use RDP to connect to and interact with machines remotely. Remote workers use RDP to access the corporate network and resources.

Several weeks ago, the National Security Agency issued such an alert. Last year the FBI released a similar warning as to the vulnerability of RDP protocols.

Shoring Up the Flaw

Protecting access to RDP servers with multi-factor authentication will surely make them more resilient to attack.

Enforcing MFA on all remote access connections will help mitigate attacks like GoldBrute, Secret Double Octopus authentication solution covers all types of remote access, from VPN to RDP and VDI, our solution will defend remote access with a high assurance Multi factor Authenticator. Learn More 

By Inbal Voitiz|July 2nd, 2019|Categories: Articles|Tags: , , |

About the Author: Inbal Voitiz

Inbal Voitiz is VP of Marketing at Secret Double Octopus where she spends most of her time discussing network vulnerabilities, and surveying security professionals to learn about their authentication needs. She is also the co-founder of the video collaboration and review platform LookAt. Prior to joining the password-free enterprise, Inbal’s password used to be 10Jsuited! which is her favorite hand in Texas-Hold’em poker game.

Get in Touch


Get in Touch With Sales