Massive Attack Campaign Hits Microsoft’s Remote Desktop Services
Coordinated RDP attacks aim to harvest usernames and pave the way for future credential-based intrusions.
Key Takeaways:
- Surge in malicious IPs targeting Microsoft RDP services detected.
- Attackers focus on exploiting authentication flaws for future breaches.
- Researchers warn of escalating activity linked to global botnets.
Security researchers have warned about a new attack campaign that targets Microsoft’s Remote Desktop Protocol (RDP) services. Nearly 2,000 malicious IPs have specifically hit RD Web Access and RDP Web Client authentication portals in recent days.
Threat intelligence firm GreyNoise detected a significant increase in RDP scans from around 2,000 IP addresses on August 21. This attack campaign aimed to exploit timing flaws in authentication workflows to enumerate valid usernames, which could lead to future password-based attacks like brute-force or credential stuffing.
The researchers identified another wave of RDP attacks that happened on August 24. This time around, over 30,000 unique IPs triggered the same tags that indicate a rapidly escalating campaign.
Which geographic regions are affected?
Out of the 1,971 IPs involved in the surge, 1,851 shared an identical client signature that indicates the use of a single toolset or botnet module. Notably, around 92% of these IPs were already classified as malicious by GreyNoise. The majority of the traffic originated from Brazil, while all targeted systems were located in the United States.
According to GreyNoise, this spike coincided with the US back-to-school period, when educational institutions bring RDP-backed systems online. These often use predictable username formats, which makes them vulnerable to enumeration.
The attackers didn’t exploit systems immediately, but they were strategically gathering valid usernames and identifying exposed endpoints to use in future intrusions. Historically, such spikes in scanning activity often indicate the emergence of new vulnerabilities, with a high likelihood that a CVE will be discovered within six weeks.
Defensive measures to block Remote Desktop attacks
Organizations should take proactive steps to defend against timing-based enumeration and credential attacks. First, they should harden authentication workflows by minimizing response time discrepancies that could reveal valid usernames. Moreover, administrators must implement multi-factor authentication (MFA) to prevent unauthorized access even if usernames are discovered.
Additionally, it’s highly recommended to monitor for unusual scanning activity, especially from foreign IPs, and consider geo-blocking or rate-limiting access to RDP services. Organizations should also regularly audit exposed endpoints and use threat intelligence feeds to help identify and block known malicious IPs.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...
