The Return of GoBruteforcer
Brute force attacks are not a topic Iâve covered before, and with fairly good reason. Most campaigns these days rely on mimicry, social engineering and obfuscation to get into a system. But that doesnât mean that the spray and pray tactic is completely gone, as evidenced by Check Point Researchâs article on a botnet version currently active in the wild.
I covered the topic of weak passwords in November of last year, citing research from Comparitech that collected the most common passwords used by accounts that had been hacked, some 2 billion of them. This current campaign is not nearly so widespread...yet. GoBruteforcer was first reported on in 2023, targeting web servers running phpMyAdmin, MySQL, FTP and Postgres services. As the designation implies, itâs written in Golang and uses brute force to gain entry. Brute force is the âtrial and errorâ model whereby an attacker guesses at login credentials until they find one that works. Before exploitation of vulnerabilities became the norm for malware deployment, this was a more common strategy that led to many web services to implementing the security feature of only allowing three attempts to login before locking the user out.
The current version is still targeting the same services, but has changed infrastructure slightly. It is using a two pronged approach, an Internet Relay Chat bot that enables remote control of the compromised host, and a brute force scanner for public IP addresses. The brute force has been automated and restructured to follow the logic paths of LLMâs, as that is pre-collated data. CPRâs article points out that this is not likely a deliberate targeting of AI itself; itâs simply using that framework of already collected data to make its scanning more successful. The attack is also focusing on particular configurations, such as those found in tutorials, demonstrations or preinstalled FTP and default credentials that administrators may not know are there, and therefore donât ever change. Once inside a system or server, the IRC bot then takes over command and control, generally for ransomware purposes.
The campaign has been observed in small batches, usually rotating a list of 200 credentials at a time. While that doesnât sound particularly threatening, given the sheer volume of users on a global scale, Comparitechâs list proves that far too many login/password combinations are laughably weak and would not stand up against a focused attack aiming for them. And all it takes is one success to gain entry to a larger array of information in a server setting. Think of how cloud storage operates, holding data from a variety of sources with often just one security checkpoint for access. It is the same issue as ever with trusting a third party vendor in the supply chain. If that third party is compromised, everything it has access to is also compromised.
CPR highlights that GoBruteforcer attacks legacy web server software like Unix and XAMPP, still in use by a large number of websites. There are not many malware campaigns that can hack Linux systems and programming due to its high level of personalized configuration, but that only works if those configurations are actually personalized. This is targeting configurations that were never changed from default, which sadly occurs more often than one might think. An ounce of prevention is worth a pound of cure, and the best way to keep GoBruteforcer out is to change those logins and passwords to something other than âuserâ and âadminâ.
Posted on LinkedIn, 1/8/26
