Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop After Single-Day Surge

On August 21, security researchers at GreyNoise detected a significant surge in scanning activity targeting Microsoft Remote Desktop Protocol (RDP) services. Approximately 2,000 malicious IP addresses were involved in this coordinated effort, which aimed to exploit timing flaws within the authentication process. The primary objective of this reconnaissance campaign was to enumerate valid usernames, thereby facilitating subsequent credential-based intrusions. While no specific threat actor or malware family has been attributed to this activity, the scale suggests a organized attempt to compromise remote access endpoints. Organizations utilizing RDP should immediately review exposure levels, enforce network-level authentication, and implement multi-factor authentication to mitigate risks. Monitoring for unusual authentication attempts and restricting RDP access to trusted IP ranges are critical defensive measures against this prevalent threat vector.

On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions.

On August 21, security researchers at GreyNoise detected a significant surge in scanning activity targeting Microsoft Remote Desktop Protocol (RDP) services. Approximately 2,000 malicious IP addresses were involved in this coordinated effort, which aimed to exploit timing flaws within the authentication process. The primary objective of this reconnaissance campaign was to enumerate valid usernames, thereby facilitating subsequent credential-based intrusions. While no specific threat actor or malware family has been attributed to this activity, the scale suggests a organized attempt to compromise remote access endpoints. Organizations utilizing RDP should immediately review exposure levels, enforce network-level authentication, and implement multi-factor authentication to mitigate risks. Monitoring for unusual authentication attempts and restricting RDP access to trusted IP ranges are critical defensive measures against this prevalent threat vector. On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions. On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions.