Massive multi-country botnet targets RDP services in the US

A large-scale botnet is targeting Remote Desktop Protocol (RDP) services in the United States from more than 100,000 IP addresses.

The campaign started on October 8 and based on the source of the IPs, researchers believe the attacks are launched by a multi-country botnet.

RDP is a network protocol that enables remote connection and control of Windows systems. It is typically used by administrators, helpdesk staff, and remote workers.

Attackers often scan for open RDP ports or try to brute-force logins, exploit vulnerabilities, or perform timing attacks.

In this case, researchers at threat monitoring platform GreyNoise found that the botnet relies on two types of RDP-related attacks:

  1. RD Web Access timing attacks – Probes RD Web Access endpoints and measures response-time differences during anonymous authentication flows to infer valid usernames

  2. RDP web client login enumeration – Interacts with the RDP Web Client login flow to enumerate user accounts by observing the difference in server behavior and responses

GreyNoise detected the campaign after an unusual traffic spike from Brazil, followed by similar activity from a wider geography, which includes Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador.

The company says that the full list of countries with compromised devices in the botnet exceeds 100.

Unusual activity spike from Brazil
Source: GreyNoise

Nearly all IP addresses share a common TCP fingerprint, and although there are variations in the (Maximum Segment Size), the researchers believe that these are due to the clusters forming the botnet.

To defend against this activity, system administrators are recommended to block the IP addresses that launch the attacks and to check the logs for suspicious RDP probing.

As a general recommendation, a remote desktop connection should not be exposed to the public internet and adding a VPN and multi-factor authentication (MFA) adds a layer of protection.

Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.

Don’t miss the event that will shape the future of your security strategy


Source link
Related Articles

Related posts:

  1. Surge in coordinated scans targets Microsoft RDP auth servers
  2. Attackers exploit link-wrapping services to steal Microsoft 365 logins
  3. Apple says the iPhone 17 comes with a massive security upgrade
  4. New VoidProxy phishing service targets Microsoft 365, Google accounts
See also  Canada dismantles TradeOgre exchange, seizes $40 million in crypto
Exit mobile version