An internet intelligence firm, GreyNoise, has reported a significant spike in scanning activity from nearly 2,000 IP addresses targeting Microsoft Remote Desktop portals, which they believe is a coordinated reconnaissance campaign. The scans are testing for timing flaws to verify usernames, likely as a prelude to future brute-force or password-spray attacks.
GreyNoise, an internet intelligence firm, has recently reported a substantial surge in scanning activity, involving nearly 1,971 IP addresses probing Microsoft Remote Desktop (RDP) Web Access and Web Client authentication portals. This sharp increase is highly unusual, as the company typically observes only 3 to 5 IP addresses performing this type of scanning per day. The coordinated nature of this event, with a vast number of IPs acting in unison, suggests a single, organized reconnaissance campaign rather than a collection of random, unrelated attacks. The attackers’ goal appears to be the collection of valid usernames, a critical step for launching more sophisticated credential-based attacks down the line.
The malicious scans are specifically designed to test for timing flaws within the RDP authentication portals. A timing flaw occurs when a system’s response time unintentionally reveals sensitive information. In this case, attackers are looking for a slight difference in how quickly the RDP portal responds to a login attempt with a valid username versus an invalid one. This subtle variation, often undetectable to the naked eye but measurable with automated tools, allows them to infer whether a username is correct. Once a list of valid usernames is compiled through this enumeration process, attackers can then proceed with more direct and effective credential-based attacks, such as brute-force attacks, which systematically try many passwords for a single username, or password-spray attacks, which try a few common passwords against many usernames.
GreyNoise’s analysis of the scanning activity revealed that 1,851 of the IP addresses shared the same client signature, with approximately 92% of them already flagged as malicious. This strong similarity in signatures, combined with the large-scale coordination, points to the possibility of a single botnet or a shared toolset being used to conduct the scans. The IP addresses predominantly originate from Brazil, while the targeted IP addresses are primarily in the United States. This geographic pattern further supports the theory of a centralized operation, as attackers often leverage botnets across different countries to mask their true location and distribute the attack traffic.
The timing of this scanning surge is notable, coinciding with the US back-to-school season.
As schools and universities prepare for the new academic year, they often bring RDP-backed labs and remote access systems back online and onboard thousands of new student and faculty accounts. These educational environments frequently use predictable username formats, such as student IDs or “firstname.lastname,” which makes username enumeration a highly effective reconnaissance tactic. The combination of predictable usernames, increased network exposure, and a potential lag in security updates during the busy enrollment period creates a prime target for attackers. However, some researchers suggest the timing could also indicate that a new, undisclosed RDP vulnerability may have been discovered, as similar spikes in malicious traffic have previously preceded the public disclosure of new flaws.
Given the ongoing threat, Windows administrators responsible for managing RDP portals and other exposed devices must take immediate action to secure their systems. The most critical step is to enable and enforce multi-factor authentication (MFA) on all user accounts. MFA adds a crucial second layer of security, ensuring that even if an attacker obtains a valid username and password, they cannot gain unauthorized access without a second form of verification. Additionally, placing RDP portals behind a VPN (Virtual Private Network) can significantly reduce their exposure to the public internet, restricting access only to users who are first authenticated on the VPN. Keeping systems patched and monitoring logs for unusual activity are also essential practices to mitigate the risk posed by these and future attacks.
Reference:
