A newly discovered botnet has been discovered attacking Windows systems running Remote Desktop Protocol connections in what could be one of the largest attacks of its type this year.

Dubbed GoldBrute, the botnet is said to have attempted to brute-force some 1.5 million exposed servers as of midweek, with the number expected to grow.

The Shadon security search engine currently lists about 2.4 million exposed servers running RDP, but as Renato Marinho at Morpheus Labs pointed out late last week, GoldBrute is using its own list and is extending it as it continues to scan and grow.

RDP is a Microsoft Corp. protocol which allows users to connect to another computer over a network connection. While not always open to being attacked, RDP has had multiple security issues over the years and the mere fact that it’s an exposed pathway into a computer network makes it a favored attack vector by hackers.

GoldBrute attempts to brute-force its way into potentially vulnerable networks running RDP. In a brute-force attack, an attacker submits many passwords or phrases in an attempt to gain access.

In the event the botnet gains access, the first thing it does is install the bot code, adding the now infected device to the botnet itself.

“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers.,” Marinho explained. “These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot.”

The primary goal of GoldBrute so far appears to be the expansion of the botnet itself rather than any secondary target at this stage, but that could easily change. It could also be that those behind the botnet created it to sell access to others who wish to use its computing power to attack other systems and networks.

“An attacker with access can then easily disable endpoint protection or leverage exploits to allow their malicious payloads to execute,” Matthew Aldridge from Webroot told SC Media UK. “There are a variety of payload options available to the criminal for extracting profit from the victim as well.”

The news comes after the U.S. National Security Agency published a rare security advisory over BlueKeep, a vulnerability in older versions of Windows that’s being actively exploited in the wild.

In that case, users of older systems are able to obtain a patch to prevent BlueKeep attacks. In the case of GoldBrute, the only way to protect against being attacked is to restrict RDP services.

Image: Pexels