Lucene search

K
thnThe Hacker NewsTHN:1BA2E3EE721856ECEE43B825656909B0
HistoryJun 07, 2019 - 9:13 a.m.

New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide

2019-06-0709:13:00
The Hacker News
thehackernews.com
808

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

windows server rdp brute force

Security researchers have discovered an ongoing sophisticated botnet campaign that is currently brute-forcing more than 1.5 million publicly accessible Windows RDP servers on the Internet.

Dubbed GoldBrute, the botnet scheme has been designed in a way to escalate gradually by adding every new cracked system to its network, forcing them to further find new available RDP servers and then brute force them.

To fly under the radar of security tools and malware analysts, attackers behind this campaign command each infected machine to target millions of servers with a unique set of username and password combination so that a targeted server receives brute force attempts from different IP addresses.

The campaign, discovered by Renato Marinho at Morphus Labs, works as shown in the illustrated image, and its modus operandi has been explained in the following steps:

windows server rdp brute force

Step 1 — After successfully brute-forcing an RDP server, the attacker installs a JAVA-based GoldBrute botnet malware on the machine.

Step 2— To control infected machines, attackers utilize a fixed, centralized command-and-control server that exchanges commands and data over an AES encrypted WebSocket connection.

Step 3 and 4 — Each infected machine then receives its first task to scan and report back a list of at least 80 publicly accessible new RDP servers that can be brute-forced.

Step 5 and 6 — Attackers then assign each infected machine with a unique set of username and password combination as its second task, forcing them to attempt it against the list of RDP targets the infected system continually receives from the C&C server.

Step 7— On successful attempts, the infected machine reports back login credentials to the C&C server.

At this moment, it is unclear exactly how many RDP servers have already been compromised and participating in the brute force attacks against other RDP servers on the Internet.

windows server rdp brute force

At the time of writing, a quick Shodan search shows that around 2.4 million Windows RDP servers can be accessed on the Internet, and probably more than half of them are receiving brute force attempts.

Remote Desktop Protocol (RDP) made headlines recently for two new security vulnerabilities—one was patched by Microsoft, and the other still remains unpatched.

Dubbed** BlueKeep**, the patched vulnerability (CVE-2019-0708) is a wormable flaw that could allow remote attackers to take control of RDP servers and if successfully exploited, could cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.

The unpatched vulnerability resides in Windows that could allow client-side attackers to bypass the lock screen on remote desktop (RD) sessions.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

Related for THN:1BA2E3EE721856ECEE43B825656909B0