A botnet is brute-forcing over 1.5 million RDP servers all over the world
According to a June 6, 2019 ZDNet article, security researchers have discovered a botnet that is brute-force attacking RDP Servers worldwide. The botnet, named GoldBrute attempts to force login to RDP servers.
Once an RDP server is found, the command is sent to each infected host, which then attempts one username and password combination against the RDP server. As more and more host become infected and become a ‘bot’ then there are increasing more and more hosts to attempt the brute-force login attempt. Since only attack only comes from one host, detecting is difficult without constant log file monitoring or a Security Event Information Management System (SEIMs) in place. Blocking the attack is impossible since there is no way to know any information about the hosts launching the next attack.
As we have recommended over and over again, the only way to protect your RDP servers from brute-force attacks is to put your RDP servers behind a VPN or to use Multi-Factor Authentication (MFA).
For the full article, please see this link (https://www.zdnet.com/article/a-botnet-is-brute-forcing-over-1-5-million-rdp-servers-all-over-the-world/?ftag=TRE-03-10aaa6b&bhid=27522308900741237859456728571052).