Threat Actors Deploying New IPs Daily to Attack Microsoft RDP

GreyNoise intelligence indicates a campaign where unidentified threat actors are utilizing rapidly rotating IP addresses to target Microsoft Remote Desktop Protocol (RDP) infrastructure. The attackers are specifically exploiting timing vulnerabilities associated with RD Web Access and conducting login enumeration attempts to bypass security controls and evade detection mechanisms. This activity highlights the persistent risk associated with exposed RDP services and the evolving techniques used to obscure attack origins. Organizations relying on Microsoft RDP should prioritize implementing network-level authentication, enforcing multi-factor authentication, and restricting RDP access via firewalls or VPNs. Continuous monitoring for unusual login patterns and IP rotation is essential to mitigate the risk of unauthorized access. While no specific malware or attributed group is identified, the technique suggests sophisticated evasion capabilities aimed at compromising remote access gateways. Immediate patching and configuration reviews are recommended to prevent potential credential theft.

GreyNoise reports attackers using rotating IPs to exploit Microsoft RDP timing vulnerabilities, targeting RD Web Access and RDP login enumeration to evade detection.

GreyNoise intelligence indicates a campaign where unidentified threat actors are utilizing rapidly rotating IP addresses to target Microsoft Remote Desktop Protocol (RDP) infrastructure. The attackers are specifically exploiting timing vulnerabilities associated with RD Web Access and conducting login enumeration attempts to bypass security controls and evade detection mechanisms. This activity highlights the persistent risk associated with exposed RDP services and the evolving techniques used to obscure attack origins. Organizations relying on Microsoft RDP should prioritize implementing network-level authentication, enforcing multi-factor authentication, and restricting RDP access via firewalls or VPNs. Continuous monitoring for unusual login patterns and IP rotation is essential to mitigate the risk of unauthorized access. While no specific malware or attributed group is identified, the technique suggests sophisticated evasion capabilities aimed at compromising remote access gateways. Immediate patching and configuration reviews are recommended to prevent potential credential theft. GreyNoise reports attackers using rotating IPs to exploit Microsoft RDP timing vulnerabilities, targeting RD Web Access and RDP login enumeration to evade detection. GreyNoise reports attackers using rotating IPs to exploit Microsoft RDP timing vulnerabilities, targeting RD Web Access and RDP login enumeration to evade detection.