A massive coordinated scanning campaign targeting Microsoft Remote Desktop Protocol (RDP) services, with threat actors deploying over 30,000 unique IP addresses to probe for vulnerabilities in Microsoft RD Web Access and RDP Web Client authentication portals.
The campaign represents one of the largest coordinated RDP reconnaissance operations observed in recent years, signaling potential preparation for large-scale credential-based attacks.
Key Takeaways
1. 30,000+ IPs attack, the largest recorded Microsoft RDP scanning campaign.
2. US schools hit during back-to-school season for username enumeration attacks.
3. 80% chance of major exploits.
Remote Desktop Protocol Attack Campaign
The scanning operation began with an initial wave on August 21, 2025, involving nearly 2,000 IP addresses simultaneously targeting both Microsoft RD Web Access and Microsoft RDP Web Client services.
However, the campaign escalated dramatically on August 24, when security researchers detected over 30,000 unique IP addresses conducting coordinated probes using identical client signatures, indicating a sophisticated botnet infrastructure or coordinated toolset deployment.
GreyNoise reports that the attack methodology focuses on timing-based authentication enumeration, a technique that exploits subtle differences in server response times to identify valid usernames without triggering traditional brute-force detection mechanisms.
This approach allows attackers to build comprehensive target lists for subsequent credential stuffing and password spraying operations while maintaining operational stealth.
Network telemetry analysis reveals that 92% of the scanning infrastructure consists of previously classified malicious IP addresses, with source traffic heavily concentrated in Brazil (73% of observed sources) while exclusively targeting United States-based RDP endpoints.
The uniform client signature patterns across 1,851 of the 1,971 initial scanning hosts suggest a centralized command and control infrastructure typical of advanced persistent threat (APT) operations.
Targeting the Educational Sector
The campaign’s timing coincides with the United States’ back-to-school period, when educational institutions typically deploy RDP-enabled laboratory environments and remote access systems for incoming students.
This targeting window is strategically significant, as educational networks often implement predictable username schemas (student IDs, firstname.lastname formats) that facilitate enumeration attacks.
The threat actors are conducting multi-stage reconnaissance operations, first identifying exposed RD Web Access and RDP Web Client endpoints, then testing authentication workflows for information disclosure vulnerabilities.
This systematic approach enables the creation of comprehensive target databases containing valid usernames and accessible endpoints for future exploitation campaigns.
Security researchers note that the same IP infrastructure has been observed conducting parallel scanning for open proxy services and web crawling operations, indicating a multipurpose threat toolkit designed for comprehensive network reconnaissance.
Historical analysis suggests that coordinated scanning spikes against specific technologies often precede the discovery or exploitation of zero-day vulnerabilities within six weeks, based on 80% correlation rates in previous threat intelligence research.
The scale and coordination of this RDP scanning campaign represent a significant escalation in threat actor capabilities, potentially indicating preparation for large-scale ransomware deployment, credential harvesting operations, or the exploitation of previously unknown RDP vulnerabilities.
Organizations operating Microsoft RDP services should implement immediate hardening measures and monitor for follow-up exploitation attempts using the identified client signatures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
