Surge in coordinated scans targets Microsoft RDP auth servers

Internet intelligence firm GreyNoise reports that it has recorded a significant spike in scanning activity consisting of nearly 1,971 IP addresses probing Microsoft Remote Desktop Web Access and RDP Web Client authentication portals in unison, suggesting a coordinated reconnaissance campaign.

The researchers say that this is a massive change in activity, with the company usually only seeing 3–5 IP addresses a day performing this type of scanning.

GreyNoise says that the wave in scans is testing for timing flaws that could be used to verify usernames, setting up future credential-based attacks, such as brute force or password-spray attacks.

Timing flaws occur when the response time of a system or request unintentionally reveals sensitive information. In this case, a slight timing difference in how quickly RDP responds to login attempts with a valid user compared to an invalid one could allow attackers to infer if the username is correct.

GreyNoise also says that 1,851 shared the same client signature, and of those, approximately 92% were already flagged as malicious. The IP addresses predominantly originate from Brazil and targeted IP addresses in the United States, indicating it may be a single botnet or toolset conducting the scans.

Unique IP addresses performng Microsoft RDP web client login enumeration
Source: GreyNoise

The researchers say that the timing of the attack coincides with the US back-to-school season, when schools and universities may be bringing their RDP systems back online.

“The timing may not be accidental. August 21 sits squarely in the US back-to-school window, when universities and K-12 bring RDP-backed labs and remote access online and onboard thousands of new accounts,” explains GreyNoise’s Noah Stone.

See also  The best streaming deals: Disney Plus, HBO Max, Netflix, and more

“These environments often use predictable username formats (student IDs, firstname.lastname), making enumeration more effective. Combined with budget constraints and a priority on accessibility during enrollment, exposure could spike. “

However, the surge in scans could also indicate that a new vulnerability may have been found, as GreyNoise has previously found that spikes in malicious traffic commonly precede the disclosure of new vulnerabilities.

Windows admins managing RDP portals and exposed devices should make sure their accounts are properly secured with multi-factor authentication, and if possible, place them behind VPNs.

46% of environments had passwords cracked, nearly doubling from 25% last year.

Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.


Source link
Related Articles

Related posts:

  1. Ransomware gangs join attacks targeting Microsoft SharePoint servers
  2. Microsoft investigates outage affecting Microsoft 365 admin center
  3. Akira ransomware abuses CPU tuning tool to disable Microsoft Defender
  4. Microsoft releases emergency updates to fix Windows recovery
Exit mobile version