The Internet Intelligence firm Greenois reports that it has recorded an important spike in the scanning activity that includes about 1,971 IP addresses, which suggest a coordinated reconnaissance campaign in the investigation of Microsoft Remote Desktop Web Access and RDP web client Authentication portals.
Researchers say that this is a major change in activity, usually only 3-5 IP addresses with the company are seen scanning this type in a day.
Greynoise says that the wave in the scan is testing for the flaws of the time, which can be used to verify the user name, to set up future credential-based attacks, such as the Brout Force or Password-Spray attacks.
The flaws of the time occur when a system reaction to the time or unknowingly shows sensitive information. In this case, how quickly the RDP differences in a minor time, how quickly the login efforts with an invalid user reacts, which can allow the attackers to estimate whether the user name is correct.
Greynoise also says that 1,851 shared the same customer signatures, and, about 92% of them were already marked as malicious. IP addresses are mainly produced by Brazil and targeted IP addresses in the United States, indicating that it can be a single botnet or toolset that operates the scan.
Source: Greynoise
Researchers say the attack time matches the US back-to-school season, when schools and universities can bring back their RDP system online.
“Time may not be casual. On August 21, the US sits square in the US back-to-school window, when the university and the K-12 RDP-supported laboratories and remote access are brought online and on thousands of new accounts,” Greynoise’s Noah Stone explains,
“These environment often use projected user name formats (students ID, Firstname.Lastname), which makes the calculation more effective. Priority, can be an exposure spike, an exposure spike on access to joint and access during enrollment.”
However, the increase in the scan may also indicate that a new vulnerability can be found, as Greenois has previously found that spikes in malicious traffic usually occur before the disclosure of new weaknesses.
Windows admins managing the RDP portal and exposed devices should ensure that their accounts are properly safe with multi-factor authentication, and if possible place them behind the VPNS.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
