The Internet was fun while it lasted ☹ Rise of the GoldBrute Botnet ☠
-
OK ladies and gentlemen, please put all loose items in a safe place.
Keep your hands inside of the ride at all times, and hold on to your hats.
This is going to be the ride of a lifetime, and there are no refunds.The warnings about the RDP exploit in Windows came thick and fast in the past couple of weeks, but is the world prepared ?
It begins....
GoldBrute Botnet Brute Forcing 1.5 Million RDP Servers, (Wed, Jun 5th)
https://isc.sans.edu/diary/rss/25002New GoldBrute Botnet is Trying to Hack 1.5 Million RDP Servers
https://www.bleepingcomputer.com/news/security/new-goldbrute-botnet-is-trying-to-hack-15-million-rdp-servers/Forget BlueKeep: Beware the GoldBrute
https://threatpost.com/forget-bluekeep-beware-goldbrute/145482/Most home users will not be open to the exploit unless they use RDP shares on their LAN and use the default port.
There is some help available to check if your network is vulnerable.
2 vulnerability scanner tools by Robert Graham
https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.htmlSee how many vulnerable computers are online
https://www.shodan.io/search?query=Remote+desktop -
Some sites worth keeping an eye on over the coming weeks
https://viz.greynoise.io/stats
https://map.lookingglasscyber.com
https://www.deteque.com/live-threat-map/
https://cybermap.kaspersky.com
https://www.digitalattackmap.com
https://horizon.netscout.com
https://wiki.shadowserver.org/wiki/pmwiki.php/Stats/BotnetMaps/ -
Finding Windows Systems Affected by BlueKeep Remote Desktop Bug
Information on using 2 tools for finding the vulnerability.
RDPScan by Robert Graham (Windows/macOS)
and
Metasploit Framework module by Zerosum0x0 and JaGoTu -
I thought I would see how much toilet paper I need to buy
https://dr-flay.vivaldi.net/if-a-goldbrute-bluekeeps-probing-my-rsdp-will-it-be-eternalblue/ -
Thanks for sharing these insights @Dr-Flay not fun indeed...
In case you haven't seen it, I usually feature your posts on our frontpage on vivaldi.net as I did it with your post from today.
-
It should be noted that without extra info, such as "did GreyNoise recently add more ability to see the activity?" it is difficult to say for sure if the recent frenzy of activity is valid.
However we would see other "patterns of interest" in previous months, even with less data points available.
Insight from @yngve would be more useful perhaps.Thanks for promoting my blog posts. I wondered if there was a glitch when I kept seeing them. Feels a bit weird seeing them on the front page.
It makes me think "Oh hell! I better re-read it again and make sure it makes sense".
My blog is mostly for my reference and for the listeners of my radio show. Often there will be a topic that is difficult to get across on radio without some reference.Normally I don't feel like clutching a pillow while writing a blog, but this is a storm gathering, and the fix is to patch a lot of obviously abandoned or unmaintained servers and PCs, that will not be updated.
There have even been discussions about the legality of a Whitehat task force just bruteforce fixing everything they can.
Currently that is just an idea we all agree we must not do.
However reality sucks and Gov agencies do illegal things towards their people already, so it won't be so long into a botnetpocalypse that klaxons are screaming, bells are ringing and the illegal thing has to be done anyway.The only option I could see without fixing the problem is to simply remove those vulnerable IPs from all DNS. Blackhole them until the owners wake up and update.
-
Ppafflick moved this topic from Security & Privacy on
