Category	Adversary Intelligence
Affected Industries	Multiple
Affected Region	Global

Executive Summary

• CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising NLBrute RDP brute-forcing tool that runs on NLBrute 1.2 and a controlled botnet.
• The NLBrute tool, as mentioned above, is designed to distribute the process of brute-forcing RDP credentials to a controlled botnet of targeted IP addresses that have open RDP ports from across different countries. 
• CloudSEK's Threat Intelligence Research team is in the process of validating the post.

[caption id="attachment_17650" align="aligncenter" width="589"] Threat actor’s post on the cybercrime forum[/caption]

Analysis

The NLBrute RDP brute-forcing tool is used to distribute the workload of finding more valid credentials of RDP accesses. Threat actors use this tool to make more efficient and faster searches on multiple devices using bots instead of running the NLBrute tool on one device. The alleged capabilities of this tool is based on NLBrute v1.2. The tool is used to brute-force RDP credentials, which requires three files to run:

• A list of IP addresses that have open RDP port 3389
• A wordlist of passwords
• A list of username

[caption id="attachment_17652" align="aligncenter" width="261"] NLBrute 1.2[/caption] The threat actor has also shared more screenshots that illustrate how the tool operates. The screenshots have been added to the report in the Appendix section.

Impact & Mitigation

Impact

Mitigation

This tool enables threat actors to find potential open RDP ports that allow them to compromise more devices by brute-forcing RDP credentials. Valid RDP credentials can allow actors to: Gain RDP access to the compromised device. Escalate privileges. Lateral movement within the network environment. Deploy different types of malwares including, but not limited to, ransomware. Use the compromised device as a bot to infect other machines.

Use strong passwords. Enable multi-factor authentication for all online accounts. Don’t share OTPs with third-parties. Review online accounts and financial statements periodically. Regularly update all the softwares and apps to the latest patches. Close unused ports of RDP. Use up-to-date end-point prevention and detection tools.

Appendix

[caption id="attachment_17653" align="aligncenter" width="571"] List of controlled bots[/caption] [caption id="attachment_17654" align="aligncenter" width="561"] Running NLBrute tool on the selected bots[/caption] [caption id="attachment_17655" align="aligncenter" width="558"] Controlling the file structure for NLBrute for each client task[/caption] [caption id="attachment_17656" align="aligncenter" width="560"] Selecting and running the brute-force task[/caption] [caption id="attachment_17657" align="aligncenter" width="558"] Showing the result of brute-force credentials[/caption]