24 Jun 2019 GoldBrute Botnet Highlights Remote Access Risks
The GoldBrute botnet is showing us all the dangers of remote access to industrial sites. GoldBrute targets Internet-exposed Remote Desktop (RDP) servers. Morphus labs reports that the botnet is currently targeting 1.5 million of the Internet-exposed RDP servers that Shodan reports exist, and the list of targeted servers is expanding.
How It Works
How the botnet works is simple – it starts by taking over Internet-exposed RDP servers that have not yet installed the patch for the CVE-2019-07-08 vulnerability, also known as “BlueKeep”. The botnet then uses those compromised servers to launch password guessing attacks on even patched servers with RDP exposed to the Internet. With password guesses coming from compromised IP addresses all over the Internet, the usual IP blacklisting timeouts that RDP uses to thwart password guessing have little effect.
What The Attackers Are Doing
The attackers behind GoldBrute are building a botnet – a large number of compromised machines that carry out commands issued by a central command and control (C2) server. The attackers also have account names and passwords able to log into any of the RDP servers whose passwords have been guessed. There are no public reports of the attackers logging into compromised machines and manipulating IT networks or industrial control systems, but such reports are only a matter of time.
Microsoft regards this class of attack as very serious, so serious that the vendor has issued security updates for even out-of-support Windows XP machines.
What It All Means
Remote access solutions are intrinsically dangerous. Yes, best practice is to augment RDP deployments with Virtual Private Networks (VPNs) and two-factor authentication to try to strengthen those deployments somewhat, but even these best-practice solutions improve the situation only slightly. VPN keys can be stolen, and VPN systems are software, with their own vulnerabilities. RDP and all comparable remote access solutions are also software, with vulnerabilities that crop up from time to time, like CVE-2019-07-08 that enables GoldBrute.