The Internet Storm Center reports:
RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability (CVE-2019-0708). While the reporting around this “Bluekeep” vulnerability focused on patching vulnerable servers, exposing RDP to the Internet has never been a good idea. Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them.
The latest example of such a botnet is an ongoing malicious campaign we are refering to as “GoldBrute”. This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet… Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.
Long-time Slashdot reader UnderAttack writes:
Infected systems will retrieve target lists from the command and control server and attempt to brute force credentials against the list, while at the same time looking for more exposed servers. With all the attention spent on patching RDP servers for the recent “BlueKeep” vulnerability, users should also make sure to just not expose RDP in the first place. Even patched, it will still be susceptible to brute forcing.