- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising NLBrute RDP brute-forcing tool that runs on NLBrute 1.2 and a controlled botnet.
- The NLBrute tool, as mentioned above, is designed to distribute the process of brute-forcing RDP credentials to a controlled botnet of targeted IP addresses that have open RDP ports from across different countries.
- CloudSEK's Threat Intelligence Research team is in the process of validating the post.
AnalysisThe NLBrute RDP brute-forcing tool is used to distribute the workload of finding more valid credentials of RDP accesses. Threat actors use this tool to make more efficient and faster searches on multiple devices using bots instead of running the NLBrute tool on one device. The alleged capabilities of this tool is based on NLBrute v1.2. The tool is used to brute-force RDP credentials, which requires three files to run:
- A list of IP addresses that have open RDP port 3389
- A wordlist of passwords
- A list of username
Impact & Mitigation
|This tool enables threat actors to find potential open RDP ports that allow them to compromise more devices by brute-forcing RDP credentials. Valid RDP credentials can allow actors to: