A large-scale campaign is targeting Remote Desktop Protocol (RDP) services in the United States, utilizing a botnet of more than 100,000 IP addresses. The activity began on October 8, and researchers at the threat monitoring platform GreyNoise believe the attacks originate from a multi-country botnet.
RDP is a network protocol that allows for remote connection and control of Windows systems, commonly used by system administrators, helpdesk staff, and remote employees. Attackers frequently scan for open RDP ports to conduct brute-force logins, exploit vulnerabilities, or perform other attacks.
GreyNoise researchers identified that the botnet employs two specific RDP-related attack methods. The first is an RD Web Access timing attack, where the botnet probes endpoints and measures differences in server response times during anonymous authentication to infer valid usernames. The second method is an RDP web client login enumeration, which interacts with the login process to identify user accounts by observing differing server behaviors and responses.
The campaign was first detected following an unusual spike in traffic originating from Brazil. Activity subsequently emerged from other countries, including Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador. According to GreyNoise, the compromised devices that form the botnet are located in more than 100 countries.
A technical analysis revealed that nearly all of the attacking IP addresses share a common TCP fingerprint. Minor variations in the Maximum Segment Size are believed to be caused by different clusters within the botnet. To mitigate this threat, GreyNoise recommends that system administrators block the identified attacking IP addresses and review system logs for signs of suspicious RDP probing.
As a security best practice, organizations are advised not to expose RDP services directly to the public internet. Implementing a Virtual Private Network (VPN) and requiring multi-factor authentication (MFA) can provide additional layers of protection against such attacks.
