Just 21 IP Addresses Are Now Behind Nearly Half of All RDP Scanning on the Internet

GreyNoise has identified a significant concentration of Remote Desktop Protocol (RDP) scanning activity originating from just 21 IP addresses, accounting for nearly half of all such traffic on the internet. This campaign highlights a shift in attacker infrastructure patterns, utilizing a highly concentrated set of resources to conduct widespread reconnaissance. While no specific threat actor or malware family was explicitly attributed in the provided text, the volume and concentration suggest organized activity potentially preceding intrusion attempts. The rapid traffic shifts associated with this infrastructure complicate traditional detection methods relying on static IP blocklists. Defenders are advised to focus on behavioral analysis and robust authentication mechanisms rather than solely relying on IP reputation. This concentration of scanning activity underscores the need for enhanced monitoring of RDP exposure and the implementation of network segmentation to mitigate potential brute-force or exploitation attempts stemming from these identified sources.

GreyNoise uncovers a concentrated RDP scanning campaign, revealing infrastructure patterns, rapid traffic shifts that impact detection, and recommendations for defenders.

GreyNoise has identified a significant concentration of Remote Desktop Protocol (RDP) scanning activity originating from just 21 IP addresses, accounting for nearly half of all such traffic on the internet. This campaign highlights a shift in attacker infrastructure patterns, utilizing a highly concentrated set of resources to conduct widespread reconnaissance. While no specific threat actor or malware family was explicitly attributed in the provided text, the volume and concentration suggest organized activity potentially preceding intrusion attempts. The rapid traffic shifts associated with this infrastructure complicate traditional detection methods relying on static IP blocklists. Defenders are advised to focus on behavioral analysis and robust authentication mechanisms rather than solely relying on IP reputation. This concentration of scanning activity underscores the need for enhanced monitoring of RDP exposure and the implementation of network segmentation to mitigate potential brute-force or exploitation attempts stemming from these identified sources. GreyNoise uncovers a concentrated RDP scanning campaign, revealing infrastructure patterns, rapid traffic shifts that impact detection, and recommendations for defenders. GreyNoise uncovers a concentrated RDP scanning campaign, revealing infrastructure patterns, rapid traffic shifts that impact detection, and recommendations for defenders.