Security researchers have discovered a new botnet that has been attacking Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet.
Discovered by Renato Marinho of Morphus Labs, the researcher says the botnet has been seen attacking 1,596,571 RDP endpoints, a number that will most likely rise in the coming days.
Named GoldBrute, the botnet works as follows:
It is currently unclear how large the GoldBrute botnet really is. What is known is that the botnet's list of "brutable" RDP targets has grown in size over the past few days as it slowly found new RDP endpoints to launch attacks against.
This growth of the GoldBrute master list of RDP targets also suggests an increase of its base of infected devices.
The bad news for companies and users running RDP endpoints exposed on the Internet is that the botnet is also difficult to detect and stop. This is because every GoldBrute-infected system only launches one password-guessing attempt per victim, preventing security systems that provide brute-force protection from kicking in.
The discovery of the GoldBrute botnet has also highlighted that, currently, brute-force attacks remain the top threat for RDP systems exposed online.
Despite all the panic surrounding the looming threat of someone weaponizing the new BlueKeep RDP vulnerability, security researchers say that most RDP attacks today are classic brute-force attempts.
According to statistics released today by cyber threat intelligence firm Bad Packets, RDP scans for the BlueKeep vulnerability only account for 3.4% of all the malicious RDP traffic seen in the past week.
On the other hand, RDP brute-force attacks and attempts to exploit older RDP vulnerabilities account for 96.6%, showing that the conscious decision made by multiple security firms and security researchers to refrain from releasing a working BlueKeep exploit has been a good one.
RDP Detections – Last 7 Days
— Bad Packets Report (@bad_packets) June 6, 2019
96.6% not BlueKeep
3.4% #BlueKeep related pic.twitter.com/gXBFqr9mlF
"The GoldBrute botnet activity indicates miscreants are still employing classical techniques of brute-forcing instead of exploiting BlueKeep to target RDP endpoints," Troy Mursch, Bad Packets founder, told ZDNet today.
Of course, just because hackers haven't figured out a way to exploit the BlueKeep vulnerability, it doesn't mean that companies can delay patching.
On the contrary; both Microsoft and the NSA have issued dire warnings urging users to apply security updates as soon as possible.