This post was originally published on this site.
BleepingComputer reports that over 50,000 internet-exposed servers could be compromised in the latest wave of attacks involving the GoBruteforcer botnet, also known as GoBrut, which has been aimed at cryptocurrency and blockchain project databases.
After targeting misconfigured XAMPP servers with online FTPs for initial access, threat actors proceed with web shell uploading through an insecure MySQL server or phpMyAdmin panel to facilitate subsequent downloader, IRC bot, and bruteforcer module retrieval, according to an analysis from Check Point Research. Up to 95 brute-forcing threads are then launched by GoBruteforcer following a 10- to 400-second delay, with the botnet avoiding U.S. government networks, Amazon Web Services cloud ranges, and private networks.
Intrusions with GoBruteforcer were noted by researchers to have been driven by the recycling of typical large language model-generated server configuration snippets, as well as the persistence of default credentials and open FTP services in XAMPP and other server stacks.