Exposing Remote Desktop Protocol to the internet can be a bad idea as botnets are looking out for the same to execute their malicious activities. Recently, a newly discovered botnet named ‘GoldBrute’ has been found scanning the internet for vulnerable Windows that have RDP connection exposed to the internet.
What’s the matter?
Discovered by Renato Marinho of Morphus Labs, the GoldBrute botnet has compiled 1,596,571 unique systems which can be hacked through brute-force or credential stuffing attacks.
It is believed that the number will most likely rise in the coming days.
How does it work?
The botnet works as follows:
Researchers the C2 server used for communication uses an IP address - 104[.]156[.]249[.]231 - which is located in New Jersey, United States.
A search on Shodan search engine shows that there are about 2.4 million machines that have remote desktop protocol enabled. This huge number can be beneficial for GoldBrute botnet which is continuously scanning the internet for vulnerable RDP endpoints.
Researchers highlight that the GoldBrute botnet activity indicates miscreants are still employing classical techniques of brute-forcing instead of exploiting BlueKeep to target RDP endpoints.