Ddos 
Security intelligence firm GreyNoise has sounded the alarm over a massive spike in Microsoft Remote Desktop (RDP) probing activity, warning that attackers are actively mapping authentication surfaces to prepare for credential attacks and future exploitation.
According to the report, “On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. Nearly 2,000 IPs — the vast majority previously observed and tagged as malicious — simultaneously probed both Microsoft RD Web Access and Microsoft RDP Web Client authentication portals.”
What began as a sudden spike on August 21 quickly escalated into a global wave. GreyNoise revealed: “GreyNoise identified a much larger wave: on August 24, over 30,000 unique IPs simultaneously triggered both Microsoft RD Web Access and Microsoft RDP Web Client tags, largely from the same client signature behind the August 21 spike.”
This activity dwarfs the normal baseline of 3–5 IPs/day, with telemetry showing attackers synchronizing across thousands of nodes in a coordinated campaign.
The campaign focuses on timing attacks and login enumeration. GreyNoise explains: “The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions.”
By measuring subtle differences in authentication responses, attackers can confirm which accounts exist — a key step before launching credential stuffing, password spraying, or brute force attacks.
The data showed:
- 1,851 of 1,971 IPs shared the same client signature, suggesting a single toolset or botnet module.
- 92% of those IPs were already tagged malicious in GreyNoise’s systems.
- Sources were heavily skewed to Brazil (~73%), with the U.S. as the primary target.
The timing of the attacks may be deliberate. “August 21 sits squarely in the US back-to-school window, when universities and K-12 bring RDP-backed labs and remote access online and onboard thousands of new accounts. These environments often use predictable username formats (student IDs, firstname.lastname), making enumeration more effective.”
This alignment suggests attackers are exploiting seasonal exposure when educational institutions are at their most vulnerable.
Even without exploiting a specific vulnerability, this reconnaissance is highly valuable. GreyNoise warns: “A large, uniform, maliciously-classified scanner set is actively mapping Microsoft RDP authentication surfaces for account discovery weaknesses. Even without immediate exploitation, the output of this campaign… is directly reusable for credential stuffing, password spraying, or future exploitation.”
Notably, GreyNoise highlights that in 80% of historical cases, spikes in attacker activity against a technology were followed by the disclosure of a new vulnerability within six weeks.
Related Posts:
- Secshow’s Massive DNS Probing Operation Exposed
- Apache Tomcat Under Attack: Massive Brute-Force Campaign Targets Manager Interfaces
- Firefox’s New AI Feature Is Causing Major CPU Spikes and Draining Batteries
- Russian IP Networks Fuel North Korea’s Global Cybercrime and Espionage Campaigns
- SPIKEDWINE’s Espionage Campaign with WINELOADER Backdoor Revealed
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
