A much-favored way to compromise organizations is by targeting environments that use remote desktop protocol (RDP). RDP, developed by Microsoft, is a convenient way to remotely access IT systems and is implemented in a variety of client environments. But it can also be high risk. If an RDP client is exposed to the internet and misconfigured, malicious actors can use search engines for Internet-connected devices, such as Shodan and Censys, to find exposed RDP clients. Once a RDP instance has been found, attackers can utilize a number of tactics, techniques or procedures (TTPs) to try to gain a foothold on the system. Popular TTPs employed by threat actors to gain access to RDP instances are brute-force and password spraying attacks.
Brute-force attacks involve repeatedly entering usernames and passwords in search of a combination that works. Similarly, password spraying repeatedly enters known valid credential combinations, such as admin:password, in the hopes of finding a misconfigured machine. RDP's weaknesses can be somewhat reduced by not exposing clients directly to the internet and using strong passwords with multifactor authentication (MFA). Although awareness of this simplistic avenue for exploitation has been rising, a surprising number of organizations still become victims of ransomware and other attacks due to this initial access vector. RDP continues to be exploited by today's ransomware groups.
One of the most popular tools to brute force RDP credentials is an application called NLBrute. The malicious tool debuted on Feb. 17, 2016, on a cybercrime forum called Antichat from a threat actor who went by the handle dpxaker . NLBrute sold for US$250 in either WebMoney (WMZ) or bitcoin. It was a high-quality tool of choice for hundreds, perhaps thousands of threat actors, brute-forcing RDP credentials at scale, enabling ransomware, tax fraud and more. , fraudsters cheated dpxaker Eventually out of revenue by releasing cracked 32-bit and 64-bit versions of NLBrute in late 2016 and 2017. In early 2017, dpxaker apologized for being offline and promised to deliver a new version of NLBrute, but the persona disappeared entirely from forums in April 2017.
Then, nearly six years later, dpxaker ’s handle surfaced on Feb. 22, 2023. Federal prosecutors in Tampa, Florida, announced that a 28-year-old Russian man, Dariy Pankov , had been extradited to the US from the country of Georgia. Prosecutors unsealed an indictment from April 2019 that accuses Pankov of developing NLBrute and selling 35,000 sets of login credentials. It's alleged Pankov made US $358,437 selling licenses for NLBrute and stolen login credentials. The indictment alleges undercover officers bought login credentials for two law firms located in Florida from Pankov, which had been advertised for US $50 and US $19.25 on an underground marketplace. Pankov is charged with one count of conspiracy, two counts of trafficking in unauthorized access devices, two counts of possession of 15 or more unauthorized access devices and two counts of tracking in computer passwords. Pankov could face up to 47 years in prison.
NLBrute was a pivotal tool for the cybercriminal underground, and while it appears to be past its heyday, cracked versions are still in use. In this blog post, we'll examine NLBrute and RDP risks.
NLBrute: A Speedy Tool
To start brute-forcing credentials, NLBrute needs some information. Users load lists of IP addresses with vulnerable RDP instances to be attacked along with a port number. RDP usually runs on port 3389, although it can be changed. NLBrute also accepts lists of usernames and passwords to be tried against the RDP login panel. Once that information is loaded, NLBrute goes to work. According to an analysis in 2021 by Cloudsek , version 1.2 of NLBrute was compatible with a botnet to spread the workload. In the initial advertisements on Antichat, dpxaker highlighted some of NLBrute's features, including speed and performance:
PREVIOUSLY WAS A FAIL AT FIRST POST
HERE AND HERE
Brute-force attacks involve repeatedly entering usernames and passwords in search of a combination that works. Similarly, password spraying repeatedly enters known valid credential combinations, such as admin:password, in the hopes of finding a misconfigured machine. RDP's weaknesses can be somewhat reduced by not exposing clients directly to the internet and using strong passwords with multifactor authentication (MFA). Although awareness of this simplistic avenue for exploitation has been rising, a surprising number of organizations still become victims of ransomware and other attacks due to this initial access vector. RDP continues to be exploited by today's ransomware groups.
One of the most popular tools to brute force RDP credentials is an application called NLBrute. The malicious tool debuted on Feb. 17, 2016, on a cybercrime forum called Antichat from a threat actor who went by the handle dpxaker . NLBrute sold for US$250 in either WebMoney (WMZ) or bitcoin. It was a high-quality tool of choice for hundreds, perhaps thousands of threat actors, brute-forcing RDP credentials at scale, enabling ransomware, tax fraud and more. , fraudsters cheated dpxaker Eventually out of revenue by releasing cracked 32-bit and 64-bit versions of NLBrute in late 2016 and 2017. In early 2017, dpxaker apologized for being offline and promised to deliver a new version of NLBrute, but the persona disappeared entirely from forums in April 2017.
Then, nearly six years later, dpxaker ’s handle surfaced on Feb. 22, 2023. Federal prosecutors in Tampa, Florida, announced that a 28-year-old Russian man, Dariy Pankov , had been extradited to the US from the country of Georgia. Prosecutors unsealed an indictment from April 2019 that accuses Pankov of developing NLBrute and selling 35,000 sets of login credentials. It's alleged Pankov made US $358,437 selling licenses for NLBrute and stolen login credentials. The indictment alleges undercover officers bought login credentials for two law firms located in Florida from Pankov, which had been advertised for US $50 and US $19.25 on an underground marketplace. Pankov is charged with one count of conspiracy, two counts of trafficking in unauthorized access devices, two counts of possession of 15 or more unauthorized access devices and two counts of tracking in computer passwords. Pankov could face up to 47 years in prison.
NLBrute was a pivotal tool for the cybercriminal underground, and while it appears to be past its heyday, cracked versions are still in use. In this blog post, we'll examine NLBrute and RDP risks.
NLBrute: A Speedy Tool
To start brute-forcing credentials, NLBrute needs some information. Users load lists of IP addresses with vulnerable RDP instances to be attacked along with a port number. RDP usually runs on port 3389, although it can be changed. NLBrute also accepts lists of usernames and passwords to be tried against the RDP login panel. Once that information is loaded, NLBrute goes to work. According to an analysis in 2021 by Cloudsek , version 1.2 of NLBrute was compatible with a botnet to spread the workload. In the initial advertisements on Antichat, dpxaker highlighted some of NLBrute's features, including speed and performance:
PREVIOUSLY WAS A FAIL AT FIRST POST
HERE AND HERE