Current Attacks Massive 1.6Mil unique addresses found hacked by “GoldBrute”

Internet Storm Center discusses an attack by the ‘GoldBrute’ botnet

They found 1.5mil servers being used by the botnet.

This means that a weakness in Microsoft (CVE-2019-0708)  May 14 Customer Guidance page:

Specifically:  CVE-2019-0708

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

So it seems GoldBrute is taking advantage of this Microsoft weakness to infect machines that have not been patched.  especially the older systems (with Windows7 and Windows Server 2008) You can solve this by downloading the patch and updating as soon as possible.

The other solution is to Disable Remote  Desktop Services  (as per https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708)

A workaround is also possible:

The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:

1. Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2

You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.

2. Block TCP port 3389 at the enterprise perimeter firewall.

 

Contact Us to discuss this latest possible attack and re-mediate your #cybersecurity risks

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.