Aggressive Brute Force Campaign “GoldBrute” Trying to Access 1.5M RDP Servers (Jun 10, 2019)
Morphus Labs announced the discovery of a new brute force campaign against 1.5 million Remote Desktop Protocol (RDP) servers by a botnet called “GoldBrute.” The campaign targets the problem of RDP servers left exposed to the Internet by the BlueKeep vulnerability (CVE-2019-0708) in Windows XP and 7’s Remote Desktop Services (RDS) which use RDP. According to Morphus, 1,596,571 servers have been subjected to an attempted brute-force attacks targeting RDP accounts. While limiting the number of times a password can be guessed is a vital practice, “GoldBrute” is trying to fly under the radar by limiting itself to one attempt per compromised host.
Recommendation: Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount. If RDP isn’t needed, turn it off while it’s not being used, perhaps setting a firewall rule to block RDP on port 3389 for safe measure. If RDP is needed, consider using it across a VPN gateway so it’s not exposed on the Internet.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.