(TLP:CLEAR) Attackers are Scanning Microsoft Remote Desktop Servers in Huge Coordinated Campaign

Summary: Last week, research from intelligence firm GreyNoise observed a substantial increase in scanning activity, with nearly 2,000 unique IP addresses simultaneously probing Microsoft Remote Desktop Access and RDP Web Client authentication portals. A much larger wave of over 30,000 unique IPs was noticed a few days later, largely from the same client signature as the first wave. A normal baseline for these kinds of scans is usually 3-5 IP addresses per day, according to the researchers, indicating a massive coordinated reconnaissance campaign targeting Microsoft Remote Desktop.

Analyst Note: A massive surge in scans could potentially indicate that a new vulnerability has been found, as researchers have previously found spikes in malicious traffic often precede the disclosure of new vulnerabilities. GreyNoise also points out that threat actors have leveraged RDP in the past to conduct espionage, deploy ransomware, and run global exploit campaigns.

Original Source: https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-desktop

Additional Reading:

• Surge in coordinated scans targets Microsoft RDP auth servers

Related WaterISAC PIRs: 6, 10