RDP servers on the Internet.
Dubbed GoldBrute, the botnet scheme has been designed in a way to escalate gradually by adding every new cracked system to its network, forcing them to further find new available RDP servers and then brute force them.
To fly under the radar of security tools and malware analysts, attackers behind this campaign command each infected machine to target millions of servers with a unique set of username and password combination so that a targeted server receives brute force attempts from different IP addresses.
The campaign, discovered by Renato Marinho at Morphus Labs, works as shown in the illustrated image, and its modus operandi has been explained in the following steps:
Step 2 — To control infected machines, attackers utilize a fixed, centralized command-and-control server that exchanges commands and data over an AES encrypted WebSocket connection.
Step 3 and 4 — Each infected machine then receives its first task to scan and report back a list of at least 80 publicly accessible new RDP servers that can be brute-forced.
Step 5 and 6 — Attackers then assign each infected machine with a unique set of username and password combination as its second task, forcing them to attempt it against the list of RDP targets the infected system continually receives from the C&C server.
Step 7 — On successful attempts, the infected machine reports back login credentials to the C&C server.
At this moment, it is unclear exactly how many RDP servers have already been compromised and participating in the brute force attacks against other RDP servers on the Internet.
Remote Desktop Protocol (RDP) made headlines recently for two new security vulnerabilities—one was patched by Microsoft, and the other still remains unpatched.
Dubbed BlueKeep, the patched vulnerability (CVE-2019-0708) is a wormable flaw that could allow remote attackers to take control of RDP servers and if successfully exploited, could cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.
The unpatched vulnerability resides in Windows that could allow client-side attackers to bypass the lock screen on remote desktop (RD) sessions.