LemonDuck malware infects endpoints for cryptomining
What’s happening?
LemonDuck is a type of malware that spreads across networks, hijacking systems and endpoints to mine cryptocurrency and enable further attacks. It targets vulnerable systems, exposed services and weak credentials, turning infected machines into part of a criminal botnet.
Barracuda researchers found LemonDuck affecting multiple endpoints and communicating with several malicious domains.
The malware was:
- Running hidden scripts using PowerShell to download further malicious code
- Connecting back to known command-and-control servers
- Setting up scheduled tasks or Windows Management Instrumentation (WMI) events (automated ‘trigger rules’) to re-run malware and maintain long-term persistence
Your organization may be at risk if you:
- Have unpatched devices on the network
- Allow weak or reused credentials that make it easier for attackers to move laterally
- Have exposed remote services such as Remote Desktop Protocol (RDP) that could provide an access point for attacks
- Lack visibility into all your endpoints, allowing suspicious or anomalous activity to go unnoticed
- Cannot immediately detect if basic security controls are disabled or bypassed by malware
How to stay safe:
- Keep all software up to date, especially for internet-facing systems
- Limit access to scripting tools such as PowerShell
- Enforce strong credential security, such as multifactor authentication (MFA), and restrict access privileges to the minimum needed
- Monitor for unusual outbound traffic to unknown domains
- Deploy endpoint detection such as Barracuda Managed XDR Endpoint Security to catch behavioral anomalies and detect and contain malware before it can establish long-term persistence
GoldBrute botnet targets exposed remote services
What’s happening?
A proactive SOC threat hunt uncovered an active GoldBrute botnet infection in a customer network. GoldBrute is a Java-based malware family that targets exposed RDP services with brute-force credential attacks.
If successful, it installs malware on compromised devices, turning the machine into part of a botnet that attacks other systems. Each infected device then helps expand the attack by scanning for new victims and testing credentials.
In the incident seen by researchers, the malware executed through a built-in Java setup while maintaining communication with its botnet infrastructure.
Recent threat intelligence has linked operators associated with GoldBrute to ransomware-related activity, increasing the risk that these infections may serve as an initial foothold for additional malicious activity.
Your organization may be at risk if you:
- Have weak access controls, including weak or reused passwords, no MFA, and RDP exposed directly to the internet
- Don’t monitor login attempts or outbound traffic
- Rely on legacy systems or unpatched hosts
How to stay safe:
- Do not expose RDP directly to the internet and consider secure VPNs or zero-trust access controls
- Enforce strong credentials measures, such as MFA
- Limit login attempts and lock accounts after repeat failures
- Monitor for unusual login patterns and outbound connections
Rise in password spraying attacks from Iran targeting VPNs
What’s happening?
Barracuda researchers saw a 55% increase in password spraying activity originating from Iran and targeting Fortigate VPNs during May, compared to the previous month.
Unknown adversaries targeted multiple organizations with repeated login attempts against numerous user accounts, trying to identify valid credentials and gain unauthorized access to VPN infrastructure.
The attempts were unsuccessful, but they highlight the continued focus on remote access infrastructure as an attack target.
Your organization may be at risk if you:
- Rely on passwords rather than MFA for access to VPNs
- Allow weak, reused or predictable passwords
- Have VPN portals exposed to the internet with limited or no restrictions
- Lack geo/IP filtering or anomaly detection
- Don’t monitor repeated failed logins across many accounts
How to stay safe:
- Ensure MFA is enabled for all remote access services
- Enforce strong password policies
- Limit login attempts, and lock accounts after repeat failures
- Limit unnecessary exposure of VPN services whenever possible
How Barracuda Managed XDR can help your organization
Barracuda Managed XDR delivers advanced protection against the threats identified in this report by combining cutting-edge technology with expert SOC oversight. With real-time threat intelligence, automated responses, a 24/7/365 SOC team, and
XDR Managed Vulnerability Security that identifies security gaps and oversights, Barracuda Managed XDR ensures comprehensive, proactive protection across your network, cloud, email, servers, and endpoints, giving you the confidence to stay ahead of evolving threats.
For further information on how we can help, please get in touch with Barracuda Managed XDR.
