Shulou(Shulou.com)05/31 Report--

This article mainly talks about "what is the harm of RDP service GoldBrute botnet". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what is the harm of RDP service GoldBrute botnet"?

Among the recent network attacks, the discussion about BlueKeep vulnerabilities is probably the hottest. But recently, researchers have warned that the newly discovered GoldBrute botnet currently poses as much of a threat to Windows systems as BlueKeep.

1. Overview

Security researchers have identified a continuing complex botnet activity that currently violently attacks more than 1.5 million publicly accessible Windows RDP (remote Desktop Protocol) servers on the Internet. The GoldBrute botnet is controlled by a C2 (Command and Control) server associated with the IP address (104.156.249.231) located in New Jersey, USA.

The botnet, known as GoldBrute, can find new available RDP servers and crack them by constantly adding new cracking systems. To avoid detection by security tools and malware analysts, the threat actor behind this malicious activity orders each infected device in its botnet to use a unique username and password combination, causing the target server to receive brute force cracking attempts from different IP addresses.

two。 Attack flow

The specific process of the malicious activity discovered by Renato Marinho, lead researcher of Morphus Labs, a network security agency, is shown in the following figure:

Step 1: after successful brute force cracking of the RDP server, the attacker will install an Java-based GoldBrute botnet malware on this device.

Step 2: to control the infected device, the attacker uses a fixed centralized C2 (command and control) server to exchange commands and data over AES-encrypted WebSocket connections.

Step 3 and 4: each infected device then receives the first task order to scan and report a list of at least 80 publicly accessible new RDP servers that can be violently cracked.

Steps 5 and 6: attackers assign a specific set of usernames and passwords to each infected device, and as their second task instruction, they need to make a cracking attempt against the RDP server in the above list.

Step 7: after successful cracking, the infected device will automatically upload login credentials to the C2 server.

It is not clear exactly how many RDP servers have been compromised and have participated in violent attacks against other RDP servers on the Internet.

At that time, researchers through a rapid Shodan search showed that about 2.4 million Windows RDP servers were publicly accessible on the Internet, and more than half of them were probably suffering from brute force attacks.

At this point, I believe you have a deeper understanding of "what is the harm of RDP service GoldBrute botnet". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.