And the threats just keep coming.  Another team of actors has focused in on Windows Remote Desktop (RDP) services by way of code name, GoldBrute BotNet.  How does this work?  You, your business or similar setup opens up Port 3389 (RDP services) to the inside of your network.  The actors will run a port scan against Port 3389 to publically accessible IP addresses to determine if it is accepting connections.  And if it is, the actors will start a brute-force attack against your systems.  We know that more than 1.5 million RDP servers and related equipment have already been compromised.

With this brute-force attack the actors, through artificial intelligence, are building up a list of usernames and password combinations from systems that are already compromised.  From this list, they are morphing those usernames and passwords into many other user names and passwords to expand upon the brute-force attack vector.

Through Java and an AES encrypted WebSocket connection to already captured devices, it gives each capture device a task to scan the Internet and report back additional vulnerabilities to the bots.  From this information, the actors continue the brute-force attack and seize more systems.  Eventually, there are many millions of Command and Control (C2) servers which further repeat the process.

The objective is as old as time itself.  Theft of data, hiding in plain sight and using the information collected for further implementation of a money grabbing effort.  Opening up RDP access from the outside world has been a no-no for nearly 20 years.  I think it’s time to stop the shenanigans and start doing things right.

If your business’s network edge is allowing RDS from the outside without the proper security in place, it is time to shut it down.  Put the right tools in place and you can RDP to your hearts content, but without the proper security measures, you may become another statistic.

I always wonder how the conversation goes with a business’ customer after being hacked.  “I know I shouldn’t be doing what I did, but will you forgive me and continue to be my customer?  Does it sound something like that?  I would certainly forgive my service provider for the security breach, but I would not forgive them for breaching my trust.

Contact Ion Technology Group for additional information.  We can help you close the security vulnerabilities in your network so that you can rest easier – and so that your customers can rest easier as well.  Contact us today at 1.856.719.1818 or at service@iontg.com.

Have a safe and enjoyable computing day!