A widespread botnet, comprising over 100,000 IP addresses from more than 100 countries, has initiated a large-scale cyberattack campaign targeting Remote Desktop Protocol (RDP) services in the United States. This attack, which began on October 8th, is a multi-country operation, as indicated by the diverse geographical sources of the IP addresses involved. The attackers are leveraging various methods to compromise RDP, a network protocol that allows for remote access and control of Windows systems, commonly used by IT administrators, support staff, and remote employees. This campaign highlights the persistent threat of large-scale, automated attacks on a foundational tool for modern remote work and system administration.
The botnet is using two distinct techniques to compromise RDP services, according to researchers at the threat monitoring platform GreyNoise. The first method, known as RD Web Access timing attacks, involves probing RD Web Access endpoints. By measuring the slight differences in response times during anonymous authentication attempts, the attackers are able to infer and identify valid usernames. This subtle but effective method allows them to build a list of potential targets for further attacks. The second technique, RDP web client login enumeration, involves interacting with the RDP Web Client login flow. By observing and analyzing differences in server behavior and responses, the attackers can identify valid user accounts. Both of these methods are designed to stealthily gather information and increase the likelihood of a successful login attempt, bypassing more traditional brute-force detection methods.
GreyNoise first detected this campaign after an unusual surge in RDP traffic originating from Brazil. This initial spike was quickly followed by similar activity from a wide array of other countries, including Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador, indicating the coordinated nature of the attack. The full list of countries with devices compromised by the botnet is extensive, exceeding 100. Despite minor variations in the Maximum Segment Size (MSS) within the network, nearly all of the IP addresses share a common TCP fingerprint. This shared characteristic led researchers to conclude that the variations are likely due to the different clusters that make up the botnet, rather than individual, uncoordinated attacks.
This campaign serves as a critical reminder of the vulnerabilities associated with internet-facing RDP services. Attackers often scan for open RDP ports and use techniques like brute-force logins, exploiting known vulnerabilities, and now, more sophisticated timing attacks to gain unauthorized access. The sheer scale and multi-country nature of this botnet makes it a significant threat to organizations relying on RDP. It underscores the need for robust security measures beyond simple password policies, as attackers are continuously evolving their techniques to circumvent these protections.
In response to this large-scale threat, security experts recommend that system administrators take immediate action to protect their networks. A primary defense is to block the IP addresses known to be launching these attacks. Additionally, administrators should regularly monitor their logs for any suspicious RDP probing or login attempts. Implementing multi-factor authentication (MFA) on RDP services is also a crucial step, as it can prevent unauthorized access even if an attacker successfully obtains a valid username and password through enumeration or timing attacks. Staying vigilant and proactively managing RDP security is key to mitigating the risk posed by this sophisticated botnet.
Reference:
