Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop in Single-Day Surge
Summary:
Security intelligence firm GreyNoise has issued a warning regarding a significant and widespread increase in probing activity targeting Microsoft Remote Desktop (RDP) services. The activity, which began as a sharp spike on August 21, involved nearly 2,000 malicious IP addresses and rapidly escalated into a global campaign by August 24, with over 30,000 unique IPs participating. This synchronized attack dwarfs the typical daily baseline and is characterized by attackers using a single toolset or botnet module to map RDP authentication surfaces.
The primary goal of this reconnaissance is to identify valid usernames through timing attacks and login enumeration. By analyzing subtle differences in how authentication portals respond, attackers can confirm which accounts exist, which is a crucial first step before launching more direct credential-based attacks like password spraying or brute-force attempts. The attacks were heavily concentrated from sources in Brazil, with the United States being the primary target. GreyNoise noted that the timing of the surge aligns with the back-to-school period in the U.S., a time when educational institutions bring new remote access and lab environments online, often with predictable username formats that make enumeration easier. This reconnaissance is a valuable first step for attackers, and GreyNoise warns that the gathered information can be used for future credential-based attacks. The company also highlighted a historical trend where surges in attacker activity often precede the public disclosure of a new vulnerability within a six-week period. Hours after publishing this blog, GreyNoise identified over 30,000 unique IPs simultaneously triggered both Microsoft RD Web Access and Microsoft RDP Web Client tags, largely from the same client signature.
Security Officer Comments:
The scale and coordination of this RDP probing campaign are particularly concerning. While the adversary is not conducting immediate exploitation, the widespread and systematic nature of the account enumeration appears to lay the groundwork for future, more damaging attacks. The timing of the campaign, coinciding with the U.S. back-to-school period, strongly suggests a strategic targeting of educational institutions, which are often less prepared to defend against such a large-scale, coordinated effort. The high percentage of already-known malicious IPs and the shared client signature point to a highly organized threat actor or botnet. The historical correlation between such activity spikes and new vulnerability disclosures serves as a critical warning.
Suggested Corrections:
CISA’s Guide to Securing Remote Access Software
Link(s):
https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-desktop
Security intelligence firm GreyNoise has issued a warning regarding a significant and widespread increase in probing activity targeting Microsoft Remote Desktop (RDP) services. The activity, which began as a sharp spike on August 21, involved nearly 2,000 malicious IP addresses and rapidly escalated into a global campaign by August 24, with over 30,000 unique IPs participating. This synchronized attack dwarfs the typical daily baseline and is characterized by attackers using a single toolset or botnet module to map RDP authentication surfaces.
The primary goal of this reconnaissance is to identify valid usernames through timing attacks and login enumeration. By analyzing subtle differences in how authentication portals respond, attackers can confirm which accounts exist, which is a crucial first step before launching more direct credential-based attacks like password spraying or brute-force attempts. The attacks were heavily concentrated from sources in Brazil, with the United States being the primary target. GreyNoise noted that the timing of the surge aligns with the back-to-school period in the U.S., a time when educational institutions bring new remote access and lab environments online, often with predictable username formats that make enumeration easier. This reconnaissance is a valuable first step for attackers, and GreyNoise warns that the gathered information can be used for future credential-based attacks. The company also highlighted a historical trend where surges in attacker activity often precede the public disclosure of a new vulnerability within a six-week period. Hours after publishing this blog, GreyNoise identified over 30,000 unique IPs simultaneously triggered both Microsoft RD Web Access and Microsoft RDP Web Client tags, largely from the same client signature.
Security Officer Comments:
The scale and coordination of this RDP probing campaign are particularly concerning. While the adversary is not conducting immediate exploitation, the widespread and systematic nature of the account enumeration appears to lay the groundwork for future, more damaging attacks. The timing of the campaign, coinciding with the U.S. back-to-school period, strongly suggests a strategic targeting of educational institutions, which are often less prepared to defend against such a large-scale, coordinated effort. The high percentage of already-known malicious IPs and the shared client signature point to a highly organized threat actor or botnet. The historical correlation between such activity spikes and new vulnerability disclosures serves as a critical warning.
Suggested Corrections:
CISA’s Guide to Securing Remote Access Software
Link(s):
https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-desktop