A botnet is currently scanning the internet in search of poorly protected Windows machines with Remote Desktop Protocol connection enabled. Called GoldBrute, the malware compiled a list of over 1.5 million unique systems and tested access with brute-force credential stuffing attacks, ZDNet reported.
— SANS ISC (@sans_isc) June 6, 2019
“If you provide a door, attackers will try to get in, even if it’s just for curiosity purposes. An attacker may not know what is available behind an exposed service – it could be an empty server or it could be a database with millions of valuable user records.
Having protocols such as RDP and telnet enabled and available in “the wild” has historically attracted botnet attacks such as Mirai and now GoldBrute.
The safest approach is to not allow any communication to the exposed services unless it is expected.
This can be done with simple security groups in AWS and Azure, which allow you to specify where access is allowed from.
According to the edgescan vulnerability stats report from 2019, 3.05% of the systems undergoing continuous profiling have RDP exposed. This constitutes 7,625 machines in a sample of 250,000 systems. Given that all it takes is one mispatched/unpatched machine for a security incident to take place, these organisations should make sure that their patching policy is updated and that they obtain full visibility over their exposed entry points.”