Increase in Coordinated Scans Targeting Microsoft RDP Authentication Servers

ByAdmin

GreyNoise has reported a significant surge in scanning activity, with nearly 1,971 IP addresses probing Microsoft Remote Desktop Web Access and RDP Web Client authentication portals simultaneously. This marks a dramatic increase from the usual 3–5 IP addresses observed daily, indicating a coordinated reconnaissance campaign. The scans are primarily testing for timing flaws that could potentially verify usernames, paving the way for future credential-based attacks, such as brute force or password-spray attacks. Timing flaws occur when the response time of a system inadvertently reveals sensitive information, allowing attackers to infer the validity of usernames based on slight differences in response times. Notably, 1,851 of the scanning IP addresses shared the same client signature, with approximately 92% already flagged as malicious. The majority of these IP addresses originate from Brazil and target systems in the United States, suggesting the involvement of a single botnet or toolset.

The timing of this attack coincides with the US back-to-school season, when educational institutions are likely to bring their RDP systems back online. GreyNoise’s Noah Stone notes that this period, particularly around August 21, aligns with the onboarding of thousands of new accounts in universities and K-12 schools. These environments often utilise predictable username formats, such as student IDs or first name and last name combinations, making enumeration more effective. Additionally, budget constraints and a focus on accessibility during enrolment may increase exposure. The surge in scanning activity could also indicate the discovery of a new vulnerability, as previous trends have shown that spikes in malicious traffic often precede vulnerability disclosures. Windows administrators managing RDP portals are advised to secure their accounts with multi-factor authentication and, where possible, place them behind VPNs, especially given that 46% of environments had passwords cracked, nearly doubling from 25% the previous year. 

Categories: Cybersecurity Threats, Coordinated Reconnaissance Campaigns, Vulnerability Exploitation 

Tags: Scanning Activity, Microsoft Remote Desktop, RDP Web Client, Credential-Based Attacks, Timing Flaws, Username Enumeration, Malicious IP Addresses, Botnet, Back-to-School Season, Multi-Factor Authentication 

Leave a Reply

Your email address will not be published. Required fields are marked *