GoldBrute – The Enemy of RDP

Threats and Attacks

GoldBrute – The Enemy of RDP

Read more
Jul 2, 2019

Hardly a month goes by without new reports on attacks exploiting vulnerable password-based authentication systems. Earlier this month, analysts at Morhus Labs discovered a malicious bot campaign they named GoldBrute.

Mode of Attack

GoldBrute is a botnet that aims to hack Remote Desktop Protocols (RDP) that have weak credentials. The bot scans through IPs from a list of 1.5M RDP servers exposed to the internet and uses a form of credential stuffing to gain illicit access.

To avoid detection, GoldBrute is programmed to try one username/ password combination from a given IP address. This is almost certainly done to avoid setting off security controls.

It should be noted, that once an attacker has access to the RDP server, he has full access to its Windows host. Anything the legitimate user would have permission to do can now be executed remotely by the hacker. (see image below by

According to Morphus Labs, the GoldBrute campaign has been running strong since at least early June. At its current rate of infection,  GoldBrute will have access to millions of RDP machines.
Godbrute process - Secret Double Octopus

Threat Number One

Two things make GoldBrute interesting malware. First, it is a ‘wormable’ bot, which means it can propagate from one computer to another indefinitely. Second, GoldBrute requires no user interaction to spread. Once a machine is infected, it becomes a tool in the hands of hackers totally unbeknownst to the owners.

The appearance of the BlueKeep ‘Mega-Worm’ earlier this month offered a timely preview for GoldBrute, which researchers consider even more effective in its ability to identify and infect machines. GoldBrute is currently considered a serious threat to Windows machines.

Passwordless authentication Banner - Secret Double Octopus

RDP: The Fatal Flaw

GoldBrute is not the first time RDP has come up as a serious security vulnerability.  Remote access has for long been a major point of weakness for IT, administrators, to contend with.

RDP is used extensively. Tech support and IT managers use RDP to connect to and interact with machines remotely. Remote workers use RDP to access the corporate network and resources.

Several weeks ago, the National Security Agency issued such an alert. Last year the FBI released a similar warning as to the vulnerability of RDP protocols.

Shoring Up the Flaw

Protecting access to RDP servers with multi-factor authentication will surely make them more resilient to attack.

Enforcing MFA on all remote access connections will help mitigate attacks like GoldBrute, Secret Double Octopus authentication solution covers all types of remote access, from VPN to RDP and VDI, our solution will defend remote access with a high assurance Multi factor Authenticator. Learn More 

More Things That Might Interest You

Threats and Attacks

Addressing the Log4j Vulnerability

Read more
Dec 14, 2021

Threats and Attacks

Why Defense-in-Depth is Key to Defeating Ransomware

Read more
Sep 23, 2021

Threats and Attacks

Protecting Enterprises from State-Sponsored Hacks

Read more
Jul 1, 2021