Microsoft RDP Under Attack: Coordinated Scan Surge & How to Protect Your Servers

Surge in RDP Scanning Signals Potential ​Attacks – What you Need to Know

A recent surge in malicious scans targeting Microsoft remote‍ Desktop Protocol (RDP) has​ security researchers on alert. GreyNoise,⁢ a network intelligence firm, detected a significant spike in activity beginning August 21st, coinciding ⁢with the start ⁢of the US back-to-school ⁢season. This activity isn’t just noise; it suggests attackers ​are actively probing for vulnerabilities and potential entry points into your systems.What’s Happening?

Over 1,851⁢ unique IP ‍addresses were involved in this scanning activity. Worryingly, approximately 92%⁢ of these IPs have already been flagged as malicious. The scans primarily originate from Brazil and target systems in the United states, ​hinting ‌at​ a coordinated effort – potentially a⁣ botnet – focused on‍ RDP exploitation.

[Image of Unique IP addresses performing Microsoft RDP web client login enumeration – Source: GreyNoise]

Why is this a concern for you?

Attackers are employing a technique called timing-based enumeration. This means they’re attempting to determine​ valid usernames by measuring the response time of your RDP server.A slight delay in response time when a correct username is entered⁣ can reveal crucial information.

This information can be used to:

Verify usernames: Confirming a valid‌ username is the frist step in a credential-based attack.
Prepare for brute-force attacks: Knowing valid usernames dramatically reduces the scope of a brute-force⁤ attempt.
Facilitate password-spray attacks: Attackers ⁣can test common passwords against known usernames.

Predictable usernames: ⁤ Student IDs and standard naming conventions (firstname.lastname) make⁤ enumeration easier.
Budget constraints: Security may be deprioritized in favor of ⁢accessibility during enrollment.
Increased exposure: More systems and accounts online create a larger attack surface.

Is a New Vulnerability⁣ at Play?

While the back-to-school timing is significant, a spike in malicious activity like this often ⁣precedes the‌ public disclosure of a new vulnerability. ⁢GreyNoise has observed this pattern in 80% of cases where new Common Vulnerabilities and Exposures ‌(CVEs) are announced. It’s possible attackers⁢ have discovered a previously unknown⁣ RDP flaw.

What You Need to Do Now

Protecting your RDP infrastructure is ⁣critical. Here’s what you should implement immediately:

Enable Multi-Factor Authentication (MFA): This is the‍ single‍ most ‌effective step you can take to‌ secure RDP access. MFA adds an extra layer of⁤ security beyond just a username and password.
implement a VPN: Placing your RDP portals behind a Virtual private Network (VPN) ​adds another layer ⁤of protection, requiring users to‌ authenticate before accessing the RDP service. Regularly Audit User Accounts: Review and‍ disable unused or unneeded accounts. Monitor RDP Logs: Actively monitor your RDP ​logs for suspicious activity, such as repeated failed ‌login attempts.
Keep Systems Updated: ensure your ⁤Windows systems and ‌RDP clients are patched with the ⁢latest security updates.

GreyNoise Blog Post: Surge of ⁣malicious IPs Probe Microsoft Remote Desktop
* [BleepingComputer: Spikes in malicious activity precede new CVEs in 80 percent of cases](https://www.bleepingcomputer.com/news/security/spikes-in-malicious-activity-precede-new-