GoldBrute – The Enemy of RDP

SDO Marketing Staff | July 2, 2019

Hardly a month goes by without new reports on attacks exploiting vulnerable password-based authentication systems. Earlier this month, analysts at Morhus Labs discovered a malicious bot campaign they named GoldBrute.

Mode of Attack

GoldBrute is a botnet that aims to hack Remote Desktop Protocols (RDP) that have weak credentials. The bot scans through IPs from a list of 1.5M RDP servers exposed to the internet and uses a form of credential stuffing to gain illicit access.

To avoid detection, GoldBrute is programmed to try one username/ password combination from a given IP address. This is almost certainly done to avoid setting off security controls.

It should be noted, that once an attacker has access to the RDP server, he has full access to its Windows host. Anything the legitimate user would have permission to do can now be executed remotely by the hacker. (see image below by morphuslabs.com)

According to Morphus Labs, the GoldBrute campaign has been running strong since at least early June. At its current rate of infection,  GoldBrute will have access to millions of RDP machines.
Godbrute process - Secret Double Octopus

Threat Number One

Two things make GoldBrute interesting malware. First, it is a ‘wormable’ bot, which means it can propagate from one computer to another indefinitely. Second, GoldBrute requires no user interaction to spread. Once a machine is infected, it becomes a tool in the hands of hackers totally unbeknownst to the owners.

The appearance of the BlueKeep ‘Mega-Worm’ earlier this month offered a timely preview for GoldBrute, which researchers consider even more effective in its ability to identify and infect machines. GoldBrute is currently considered a serious threat to Windows machines.

Passwordless authentication Banner - Secret Double Octopus

RDP: The Fatal Flaw

GoldBrute is not the first time RDP has come up as a serious security vulnerability.  Remote access has for long been a major point of weakness for IT, administrators, to contend with.

RDP is used extensively. Tech support and IT managers use RDP to connect to and interact with machines remotely. Remote workers use RDP to access the corporate network and resources.

Several weeks ago, the National Security Agency issued such an alert. Last year the FBI released a similar warning as to the vulnerability of RDP protocols.

Shoring Up the Flaw

Protecting access to RDP servers with multi-factor authentication will surely make them more resilient to attack.

Enforcing MFA on all remote access connections will help mitigate attacks like GoldBrute, Secret Double Octopus authentication solution covers all types of remote access, from VPN to RDP and VDI, our solution will defend remote access with a high assurance Multi factor Authenticator. Learn More