The GoldBrute botnet is trying to crack open 1.5 million RDP servers

Even its most optimistic users would have to concede that it’s been a bracing few weeks for anyone who relies on Microsoft’s Remote Desktop Protocol (RDP).

The latest round of bad news emerged last week when Morphus Labs’ researcher Renato Marinho announced the discovery of an aggressive brute force campaign against 1.5 million RDP servers by a botnet called ‘GoldBrute’.

That came hot on the heels of Microsoft’s urgent warning in May about the risk of a dangerous “wormable” vulnerability called BlueKeep (CVE-2019-0708) in Windows XP and 7’s Remote Desktop Services (RDS) which use RDP.

Underlining the worry, two weeks after the initial alert, Microsoft issued a second anxious nudge when it discovered at least one million vulnerable systems had yet to apply the available patch.

By the time the US National Security Agency (NSA) chipped in with its own mildly apocalyptic BlueKeep alert on 4 June 2019, it was clear they believed something unpleasant might be brewing.

It’s behind you

The mega-attack exploiting BlueKeep has yet to materialise, but what users have got in the meantime is GoldBrute, a much more basic threat that targets the problem of RDP servers left exposed to the internet.

A search on Shodan puts the number of servers in this vulnerable state at 2.4 million, 1,596,571 of which, Morphus discovered, had been subjected to an attempted brute force attack targeting weak credentials.

On each server where this is successful, the command and control uploads the GoldBrute code in zip form, which it uses as a launch pad for more RDP server scans, followed by a new list of IPs and servers to attempt brute-force against. Wrote Marinho:

Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.

Morphus doesn’t know how many attacks were successful, which is necessary to estimate the bot’s size. However, the company did geolocate the servers on the global target list with major hot spots in China (876,000 servers) and the US (434,000).

GoldBrute uses its own list and is extending it as it continues to scan and grow.

RDP has had its problems over the years – in 2017 we dubbed it the ‘Ransomware Desktop Protocol’ in honour of its use by extortion malware – but events of recent weeks suggest the threat is getting worse, or at least more high profile.

What you don’t know can hurt you

Inevitably, some of the servers turning up on Shodan have simply been turned on and forgotten about, exposing their owners to the danger of the “out of sight, out of mind” risk.  The first task, then, is to see whether the same is true on your network.

If RDP isn’t needed, turn it off while it’s not being used, perhaps setting a firewall rule to block RDP on port 3389 for safe measure.

If RDP is needed, consider using it across a VPN gateway so it’s not exposed on the internet.

Ideally, also turn on some form of network multi-factor authentication which dramatically reduces the risk in the event that server credentials are somehow compromised.

Normally, it’s a good idea to limit the number of times passwords can be guessed although, as noted above, GoldBrute is trying to fly under the radar by limiting itself to one attempt per compromised host.

If there’s one piece of good news regarding RDP threats it’s that they’re coming to light before mass exploitation – there is still time to act.