A Look at NLBrute, the RDP Attack Tool
Mar 15, 2023
A much-favored way to compromise organizations is by targeting environments that use remote desktop protocol (RDP). RDP, developed by Microsoft, is a convenient way to remotely access IT systems and is implemented in a variety of client environments. But it can also be high risk. If an RDP client is exposed to the internet and misconfigured, malicious actors can use search engines for Internet-connected devices, such as Shodan and Censys, to find exposed RDP clients. Once a RDP instance has been found, attackers can utilize a number of tactics, techniques or procedures (TTPs) to try to gain a foothold on the system. Popular TTPs employed by threat actors to gain access to RDP instances are brute-force and password spraying attacks.
Brute-force attacks involve repeatedly entering usernames and passwords in search of a combination that works. Similarly, password spraying repeatedly enters known valid credential combinations, such as admin:password, in the hopes of finding a misconfigured machine. RDP’s weaknesses can be somewhat reduced by not exposing clients directly to the internet and using strong passwords with multifactor authentication (MFA). Although awareness of this simplistic avenue for exploitation has been rising, a surprising number of organizations still become victims of ransomware and other attacks due to this initial access vector. RDP continues to be exploited by today’s ransomware groups.
One of the most popular tools to brute force RDP credentials is an application called NLBrute. The malicious tool debuted on Feb. 17, 2016, on a cybercrime forum called Antichat from a threat actor who went by the handle dpxaker. NLBrute sold for US$250 in either WebMoney (WMZ) or bitcoin. It was a high-quality tool of choice for hundreds, perhaps thousands of threat actors, brute-forcing RDP credentials at scale, enabling ransomware, tax fraud and more. Eventually, fraudsters cheated dpxaker out of revenue by releasing cracked 32-bit and 64-bit versions of NLBrute in late 2016 and 2017. In early 2017, dpxaker apologized for being offline and promised to deliver a new version of NLBrute, but the persona disappeared entirely from forums in April 2017.
Then, nearly six years later, dpxaker’s handle surfaced on Feb. 22, 2023. Federal prosecutors in Tampa, Florida, announced that a 28-year-old Russian man, Dariy Pankov, had been extradited to the U.S. from the country of Georgia. Prosecutors unsealed an indictment from April 2019 that accuses Pankov of developing NLBrute and selling 35,000 sets of login credentials. It’s alleged Pankov made US $358,437 selling licenses for NLBrute and stolen login credentials. The indictment alleges undercover officers bought login credentials for two law firms located in Florida from Pankov, which had been advertised for US $50 and US $19.25 on an underground marketplace. Pankov is charged with one count of conspiracy, two counts of trafficking in unauthorized access devices, two counts of possession of 15 or more unauthorized access devices and two counts of tracking in computer passwords. Pankov could face up to 47 years in prison.
NLBrute was a pivotal tool for the cybercriminal underground, and while it appears to be past its heyday, cracked versions are still in use. In this blog post, we’ll examine NLBrute and RDP risks.
NLBrute: A Speedy Tool
To start brute-forcing credentials, NLBrute needs some information. Users load lists of IP addresses with vulnerable RDP instances to be attacked along with a port number. RDP usually runs on port 3389, although it can be changed. NLBrute also accepts lists of usernames and passwords to be tried against the RDP login panel. Once that information is loaded, NLBrute goes to work. According to an analysis in 2021 by Cloudsek, version 1.2 of NLBrute was compatible with a botnet to spread the workload. In the initial advertisements on Antichat, dpxaker highlighted some of NLBrute’s features, including speed and performance:
The popularity of NLBrute amongst threat actors was underscored in comments on a popular, predominantly Russian-speaking underground forum, after Pankov’s arrest and extradition were announced. One comment indicated that NLBrute was more popular than RDP Forcer, a similar kind of tool. It was also popular because so many RDP hosts were vulnerable at that time to brute-force attacks. When NLBrute was “cracked” – meaning that it could be used without paying a fee – another person commented that everyone in the community wanted the cracked version, and it was difficult to get. Anyone who had a cracked version would then try to sell it, again undercutting dpxaker.
RDP’s convenience comes at a cost: it can pose serious security risks. RDP accounts tend to have higher-level access privileges since they’re used for management and maintenance of networks and software. Such accounts are sought after by attackers, who search for internet-facing instances of RDP using internet-connected device search engines.
Attacks against RDP instances surged as a result of an increase in work-from-home arrangements due to the COVID-19 pandemic in early 2020. Three years on, threat actors still find RDP one of the most fruitful avenues for compromising organizations. For example, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned on March 3, 2023, that RDP is the second most common vector used by the Royal ransomware group to infect organizations.
Organizations have been caught out after attackers found internet-facing RDP instances, which is when brute-force tools such as NLBrute may be put into action. RDP instances that lack MFA and may not have strong passwords could be the most vulnerable to brute-force attacks. Once a brute-force attack is successful, the access lent by a RDP account can allow threat actors to then begin to laterally move through an organization’s infrastructure.
Microsoft has issued advice for how to securely use RDP. One of the top suggestions is for organizations to conduct audits and ensure that RDP is not exposed to the internet. Aside from brute-force attackers, RDP instances exposed to the internet also face risks from software vulnerabilities. In 2019, Microsoft patched a vulnerability known as BlueKeep (CVE-2019-0708), and later in that year, two related vulnerabilities dubbed DejaBlue (CVE-2019-1181 and CVE-2019-1182). All were remote code execution vulnerabilities, which were again opportunities for attackers to compromise systems and represented another compelling reason for defenders to use layered defenses around access to RDP.
Brute-force attacks against RDP may not be the most sophisticated type of intrusion. But if it is a viable path to compromising an organization, attackers will use it.