We are two weeks into the month of June and it is not looking good for servers. Last month, the theme of security threats was routers, but servers are getting the short end of the stick this month. Exim, a host for e-mail servers, had their security issues but I’m sure they’re thankful for the recent security issues since their story pales in comparison to recent threats.
One of these recent threats is GoldBrute, a brute-force botnet that has already targeted 1.6 million RDP servers across the globe.
What even is a botnet? An RDP server? Where did GoldBrute come from?
1. What is a Botnet?
In nature, certain creatures such as bees and ants can act as one collective being. If the queen instructs the army of bees to perform a task, hundreds and thousands of individuals will follow suit. This type of group thinking and centralized control is known as a “hive mind”.
A botnet is the same. It, too, has a hive mind.
To create a botnet, a hacker will infect multiple computers or servers with malware that is designed to give the hacker control of each device. When the hacker has gained control of the devices, he will set each device to act as one entity for one task.
For example, a hacker may use 20 computers to send the same spam message to different e-mail addresses. Or, for our current situation, use the botnet to try to hack more than half a million servers.
RDP servers, to be exact. And now it’s time for me to move into the second educational lesson.
2. RDP Servers
RDP, standing for Remote Desktop Protocol, allows hardware to be remotely accessed from a different location. Of course, this type of tech requires a server(s) to use, so what happens when these servers are hacked?
Let’s see, a botnet is a system where multiple computers can be remotely accessed to perform one, usually illegal, task. RDP allows remote access to devices, so…oh. That’s why.
If you have RDP servers under your botnet command, that would be a huge win for you, if you’re the hacker of course.
3. What about GoldBrute?
GoldBrute is currently the biggest epidemic that servers are facing right now. Over 1.6 million RDP servers have been targeted, but 2.4 million have been exposed. That’s right, GoldBrute is just getting started.
GoldBrute works by using a brute-force method. When GoldBrute is put on a machine, the machine will attempt to download a sizeable 80MB file that contains a Java executable. Once the executable is run, a bot in the botnet will proceed to scan through IP addresses in the search for an RDP endpoint.
Once found, the bot will proceed to start a brute-force attack, attempting multiple passwords and usernames over and over until it gets both right.
GoldBrute has shown to be very effective, thanks to its technique of trying the only password per machine and then moving on until later so as to not trigger any defense mechanisms on a network.
As I said earlier, servers have pretty much gotten the short end of the stick this month, but GoldBrute is on a whole other level. BlueKeep, another vulnerability in RDP servers, is also a bad vulnerability, but GoldBrute has hit a scale that we haven’t seen in a while.
GoldBrute has actually become so popular among hackers that a recent study shows that, in the past week, 96% of RDP server attacks are brute-force attacks versus the 3.4% that are taking advantage of the BlueKeep exploit. If that’s not a sign of a successful hack, I don’t know what is. Though, I guess I’d prefer the alternative of never knowing this exploit existed so I could sleep peacefully. Ignorance is bliss after all.