New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide

Posted by & filed under Ειδοποιήσεις.

Security researchers have discovered an ongoing sophisticated botnet campaign that is currently brute-forcing more than 1.5 million publicly accessible Windows RDP servers on the Internet.

Dubbed GoldBrute, the botnet scheme has been designed in a way to escalate gradually by adding every new cracked system to its network, forcing them to further find new available RDP servers and then brute force them.

To fly under the radar of security tools and malware analysts, attackers behind this campaign command each infected machine to target millions of servers with a unique set of username and password combination so that a targeted server receives brute force attempts from different IP addresses.

The campaign, discovered by Renato Marinho at Morphus Labs, works as shown in the illustrated image, and its modus operandi has been explained in the following steps:


Step 1 — After successfully brute-forcing an RDP server, the attacker installs a JAVA-based GoldBrute botnet malware on the machine.

Step 2 — To control infected machines, attackers utilize a fixed, centralized command-and-control server that exchanges commands and data over an AES encrypted WebSocket connection.

Step 3 and 4 — Each infected machine then receives its first task to scan and report back a list of at least 80 publicly accessible new RDP servers that can be brute-forced.

Step 5 and 6 — Attackers then assign each infected machine with a unique set of username and password combination as its second task, forcing them to attempt it against the list of RDP targets the infected system continually receives from the C&C server.

Step 7 — On successful attempts, the infected machine reports back login credentials to the C&C server.

At this moment, it is unclear exactly how many RDP servers have already been compromised and participating in the brute force attacks against other RDP servers on the Internet.


At the time of writing, a quick Shodan search shows that around 2.4 million Windows RDP servers can be accessed on the Internet, and probably more than half of them are receiving brute force attempts.

Remote Desktop Protocol (RDP) made headlines recently for two new security vulnerabilities—one was patched by Microsoft, and the other still remains unpatched.

Dubbed BlueKeep, the patched vulnerability (CVE-2019-0708) is a wormable flaw that could allow remote attackers to take control of RDP servers and if successfully exploited, could cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.

The unpatched vulnerability resides in Windows that could allow client-side attackers to bypass the lock screen on remote desktop (RD) sessions.


The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.