Many successful cyberattacks still exploit exposed services, weak credentials, and inadequate access controls.
Recent findings from Barracuda Managed XDR highlight how attackers continue to exploit these gaps to deploy malware, compromise remote access infrastructure, and establish persistent footholds within enterprise environments.
Key Takeaways
- Weak credentials, exposed remote services, and insufficient access controls continue to provide attackers with an easy path into enterprise networks.
- Barracuda researchers observed LemonDuck malware, GoldBrute botnet activity, and a 55% increase in password spraying attacks targeting FortiGate VPNs.
- Exposed RDP services and internet-facing VPNs remain high-value targets for credential attacks and ransomware operators.
- Phishing-resistant MFA, timely patching, endpoint visibility, and continuous monitoring can reduce the risk of compromise.
LemonDuck Demonstrates the Risk of Unpatched Systems
Barracuda researchers recently observed multiple LemonDuck malware infections affecting enterprise endpoints.
LemonDuck is malware that hijacks systems for cryptocurrency mining while establishing long-term persistence for additional attacks.
Researchers found the malware downloading additional payloads through PowerShell, communicating with C2 servers, and using scheduled tasks and WMI to maintain persistence.
Once inside a network, LemonDuck can move laterally by exploiting reused credentials or vulnerable systems, increasing both operational disruption and recovery costs.
Organizations can reduce their exposure by taking the following steps:
- Apply patches, especially on internet-facing assets
- Limit PowerShell access to authorized administrators
- Enforce phishing-resistant MFA
- Monitor outbound traffic for suspicious domains
- Use EDR/XDR solutions to detect behavioral anomalies
Reducing exposed attack surfaces and improving endpoint visibility can limit LemonDuck’s impact.
GoldBrute Continues to Target Exposed Remote Desktop Services
Barracuda’s team also identified an active GoldBrute botnet infection during a proactive threat hunt.
GoldBrute is a Java-based malware family that targets internet-facing remote desktop protocol (RDP) services using brute-force credential attacks.
When attackers successfully compromise an RDP system, the infected host becomes part of the GoldBrute botnet, scanning for additional victims while launching credential attacks against other exposed systems.
During the observed incident, the malware executed through Java components while maintaining communication with botnet infrastructure.
Recent threat intelligence has associated GoldBrute operators with ransomware-related activity, suggesting these infections may represent an initial access vector for more destructive attacks.
Organizations operating exposed RDP services without MFA, account lockout policies, or strong password requirements face increased risk.
Defensive measures include removing RDP from direct internet exposure, requiring secure VPN or Zero Trust Network Access (ZTNA) solutions, enforcing phishing-resistant MFA, restricting repeated login attempts, and monitoring authentication logs for abnormal activity.
Password Spraying Against VPNs Remains a Persistent Threat
Barracuda researchers also reported a 55% increase in password spraying activity originating from Iran during May compared to the previous month.
The campaigns primarily targeted FortiGate VPN infrastructure by attempting a small number of common passwords across many user accounts rather than repeatedly attacking a single account.
Although the observed attacks were unsuccessful, they demonstrate that remote access infrastructure remains a high-value target for adversaries seeking initial network access.
“The sharp increase in password spraying and attacks targeting exposed remote services highlights how threat actors continue to exploit some of the most persistent gaps in enterprise security,” said Laila Mubashar, Senior Cybersecurity Analyst at Barracuda Managed XDR, in an email to eSecurityPlanet.
Laila explained, “These attacks are low cost, scalable and often highly effective when organizations lack strong access controls.”
She added, “To stay protected, businesses should focus on reducing exposed attack surfaces, enforcing multifactor authentication, strengthening password policies, and investing in continuous monitoring to identify suspicious activity before it escalates into compromise.”
Organizations that rely only on passwords for internet-facing VPNs remain vulnerable to credential attacks, especially when weak passwords and limited login monitoring are involved.
Organizations should enable MFA, enforce strong password policies, use password managers, monitor for password spraying attempts, and minimize exposure of internet-facing VPN services.
Building Stronger Identity Defenses
While LemonDuck, GoldBrute, and password spraying campaigns use different techniques, they all exploit the same underlying weaknesses: insufficient identity protection and exposed remote access services.
MFA, least privilege, monitoring, patching, and reduced internet exposure can help prevent opportunistic attacks from escalating into broader compromise.
Organizations looking to strengthen identity security and remote access should also consider how zero trust solutions can help reduce the attack surface and limit lateral movement.