Large 'GoldBrute' RDP Botnet Hunts For Exposed Servers With Weak Passwords (sans.edu) 16
The Internet Storm Center reports:
RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability (CVE-2019-0708). While the reporting around this "Bluekeep" vulnerability focused on patching vulnerable servers, exposing RDP to the Internet has never been a good idea. Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them.
The latest example of such a botnet is an ongoing malicious campaign we are refering to as "GoldBrute". This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet... Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.
Long-time Slashdot reader UnderAttack writes: Infected systems will retrieve target lists from the command and control server and attempt to brute force credentials against the list, while at the same time looking for more exposed servers. With all the attention spent on patching RDP servers for the recent "BlueKeep" vulnerability, users should also make sure to just not expose RDP in the first place. Even patched, it will still be susceptible to brute forcing.
The latest example of such a botnet is an ongoing malicious campaign we are refering to as "GoldBrute". This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet... Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.
Long-time Slashdot reader UnderAttack writes: Infected systems will retrieve target lists from the command and control server and attempt to brute force credentials against the list, while at the same time looking for more exposed servers. With all the attention spent on patching RDP servers for the recent "BlueKeep" vulnerability, users should also make sure to just not expose RDP in the first place. Even patched, it will still be susceptible to brute forcing.
Re: (Score:2)
Much as it pains me to say, you have a point. Anybody that screws up security this badly has no business operating Internet-reachable servers.
Re: (Score:2)
You seem to be illiterate. There is no "Kendall" in this thread.
I changed the default port number ... (Score:4, Interesting)
... 3389 to the last four digits of our phone number.
That didn't reduce the number of breach attempts at the firewall, but it did hide the path to success.
Re: (Score:2)
1. having a gui does not preclude a command line.
2. these servers provide remote desktop connectivity for road warriors.
3. they are steaming piles that are virtually unsecurable.
termsrv.dll (Score:3)
I've come across a compromised machine part of this botnet that'll replace termsrv.dll to allow more than one user login. It'll also store the credentials from compromised machines in a single large text file. Most credentials were accounts that had the same password as the username, or username/username123.