A massive coordinated botnet campaign is currently targeting Remote Desktop Protocol (RDP) services across the United States. Security firm GreyNoise is tracking a significant wave of attacks originating from over 100,000 unique IP addresses spanning more than 100 countries.
Coordinated Global Assault
The sheer scale and organization of this operation indicate it is centrally controlled, with the explicit goal of compromising vulnerable RDP infrastructure essential for remote administration and work. The investigation began after analysts detected an anomalous spike in traffic from Brazilian IPs, which quickly expanded to include surges from Russia, China, Argentina, Mexico, Iran, South Africa, and dozens of other nations.
Despite the diverse geographic origins, the attacks share a common target: US-based RDP services. Analysts are highly confident that this activity is the work of a single, large-scale botnet because nearly all participating IPs share an identical technical TCP fingerprint, suggesting a standardized, centralized command-and-control structure.
Attack Techniques
The threat actors are utilizing two specifics, synchronized attack vectors to efficiently identify and compromise systems without triggering immediate security alerts:
- RD Web Access Timing Attack: This sophisticated method measures the server's response time to login attempts to anonymously differentiate between valid and invalid usernames.
- RDP Web Client Login Enumeration: This systematically attempts to guess user credentials against identified RDP access points.
Mitigation Steps
In response to this ongoing threat, GreyNoise has provided urgent recommendations for network defenders. Organizations should proactively check their security logs for any unusual RDP probing or failed login attempts that match the campaign's patterns.
For immediate protection, organizations must enforce strong security measures on RDP access, including:
- Enforcing strong password policies.
- Mandating multi-factor authentication (MFA) on all RDP services.
GreyNoise has also released a dynamic blocklist template, named "microsoft-rdp-botnet-oct-25," allowing customers to automatically block all known malicious IP addresses at the network perimeter.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
