GoBruteforcer botnet brute-forces exposed services targeting crypto infrastructure

Show description: Researchers name a Go-based botnet GoBruteforcer and report it brute forces FTP, MySQL, PostgreSQL and phpMyAdmin instances to compromise Linux hosts that support blockchain and crypto infrastructure. Researchers estimate more than 50,000 publicly reachable servers are vulnerable and report that a number of servers have been incorporated into the botnet. Operators run automated scans using a small, stable pool of usernames and passwords and exploit default credentials, copy-pasted example usernames, and AI-generated configuration snippets that recommend predictable names. Operators target legacy stacks such as XAMPP and open FTP services with out-of-the-box settings for initial access. After successful access, compromised hosts download a Go payload, register with a command server, and begin parallel scanning of other IP ranges. Post-compromise actions include adding backdoor accounts, exfiltrating databases, and fetching additional modules for spam, proxying, or targeted cryptocurrency theft. Researchers found tooling that queries TRON and Binance Smart Chain balances, a dataset of roughly 23,000 TRON addresses, and on-chain activity consistent with repeated small thefts. Targets include exchanges, custodial backends, analytics platforms, token dashboards and other blockchain applications, and attack runs rotate among blockchain databases, phpMyAdmin and WordPress stacks to evade static blocklists. Potential impacts include theft of user records, disclosure of private keys or seed phrases stored insecurely, wallet draining, infrastructure loss, hosting sanctions and regulatory scrutiny. Recommended defensive actions include removing unnecessary internet-facing databases and admin panels; replacing default and weak credentials with strong, unique passwords managed by a password manager; auditing AI-generated and template configurations and rotating secrets; disabling unused services and updating or retiring legacy stacks; binding database services to private interfaces and restricting access behind VPNs or allow-listed IPs; enforcing host and network firewall rules, rate limiting and account lockout policies; and enabling multi-factor authentication. Monitoring and response recommendations include logging and telemetry for failed logins, unexpected user creation, new outbound connections and internal scanning behavior; automated alerting for suspicious patterns; regular patching; removal of unneeded plugins and modules; credentials and secrets reviews; an incident response runbook for brute-force and wallet probing scenarios; and verification of backups and recovery plans. Researchers expect operators to rotate credential lists and targets while reusing the same automated playbook, and defenders can reduce risk by eliminating defaults, restricting access and hardening admin panels. 

Source: https://web3businessnews.com/crypto/gobruteforcer-crypto-server-attacks/

Hosted on Acast. See acast.com/privacy for more information.