In mid-May, a vulnerability was discovered in older Windows Operating systems. Named BlueKeep, this Remote Desktop Services vulnerability affects over one million devices around the world. For the time being, however, it has yet to be used in a real attack. Now, a group of researchers has discovered a threat that potentially affects even more systems.

GoldBrute: a threat to RDP

This new threat is GoldBrute, a botnet that is currently scanning the Internet, actively searching for Windows machines with the Remote Desktop Protocol (RDP) connection enabled. The researchers have discovered that the malware has compiled a list of 1.5 million unique systems with RDP enabled.

How GoldBrute works

To access a system, GoldBrute employs brute force or credential stuffing attacks. A curious feature of this malware is that each bot tries just one combination of username and password in each brute force attempt. The botnet most likely employs this tactic to slip past the most common security solutions, since multiple attempts from the same IP address would arouse suspicions.

The first thing that a system infected with GoldBrute does is to download the bot’s code. This download is heavy– 80MB– and includes Java Runtime. The bot itself is implemented in a Java class called GoldBrute. Once it is on a system, the bot starts to scan the Internet for more systems that it can attack with this tactic. When it has 80 new victims, the C&C servers will assign a set of targets on which to carry out brute force attacks.

The files that the botnet delivers do not reveal the ultimate goal of the attack. Nevertheless, since it does not contain a persistence mechanism, researchers believe that an attacker could be using it to be able to sell access to the affected systems to other cybercriminals.

The scope of the problem

A search on Shodan, the search engine for connected devices, reveals that there are some 2.9 million machines that can be accessed via the Internet and which have RDP enabled. In many companies, employees connect to their computers remotely with RDP when they are not in the offices, and at times, RDP services may not be properly protected. As such, RDP becomes a very appealing attack vector for cyberattackers. With this data, we can see that GoldBrute could become a large-scale threat similar to WannaCry.

What’s more, if we take into account the fact that, according to PandaLabs, in 2018, 40% of large and medium companies were targeted by RDP attacks every month, we can see that, even before the appearance of this threat, the Remote Desktop Protocol posed a serious threat.

If an attacker manages to make their way onto a computer using an insecure RDP, there’s no limit to what they can do. In fact, they can do anything that a legitimate user can do: access local data and files, install programs, move laterally on the corporate network, or even use the computer’s CPU to mine cryptocurrencies.

Safe use of RDP

But this is by no means the only cyberthreat that exploits RDP. In September last year, the FBI issued a warning about the danger that attacks via this protocol can pose. It’s therefore a good idea to protect your company against the possible problems that this protocol can cause.

1.- Is RDP really necessary? It may seem obvious, but an attacker can only access your computer via RDP if you have it enabled. As such, it is worth questioning whether it is really necessary to activate this protocol in your organization.

2.- Secure passwords To protect the endpoint against brute force attacks, it is very important to use secure passwords and be sure not to recycle old passwords. This last point is particularly important to avoid credential stuffing attacks – attacks that try to gain access to a system using passwords gathered in old data breaches.

3.- Constant monitoring. We often say that there is no such thing as 100% security. However, the chances of suffering a cyberattack are greatly reduced if you know exactly what is happening on your corporate network at all times. Panda Adaptive Defense provides total visibility of all active processes in real time, and acts against possible threats even before they happen. This way, no cyberthreat will be able to endanger the computers on your IT system.

For now, this botnet hasn’t been used in any cyberattacks or in any malicious campaigns. Nevertheless, it could be a matter of time before we see the final goal of GoldBrute. It is therefore vital that your IT system is protected.