BleepingComputer reports that almost 1,971 IP addresses have been concurrently scanning Microsoft Remote Desktop Web Access and RDP Web Client authentication portals on Thursday, significantly higher than the handful of IP addresses usually observed to be conducting such scanning that could indicate possible coordinated reconnaissance.
Nearly 92% of the 1,851 IP addresses with identical client signatures were malicious, findings from GreyNoise showed. Such a surge in IP address scanning, which has mostly been conducted by Brazil-based addresses against U.S.-based addresses, may have been conducted to facilitate eventual brute-force or password spraying intrusions. "The timing may not be accidental. August 21 sits squarely in the U.S. back-to-school window, when universities and K-12 bring RDP-backed labs and remote access online and onboard thousands of new accounts," said GreyNoise Intelligence Head of Content Noah Stone. Organizations have been urged to ensure the implementation of multi-factor authentication and VPN security for RDP portals and internet-connected devices.
Nearly 92% of the 1,851 IP addresses with identical client signatures were malicious, findings from GreyNoise showed. Such a surge in IP address scanning, which has mostly been conducted by Brazil-based addresses against U.S.-based addresses, may have been conducted to facilitate eventual brute-force or password spraying intrusions. "The timing may not be accidental. August 21 sits squarely in the U.S. back-to-school window, when universities and K-12 bring RDP-backed labs and remote access online and onboard thousands of new accounts," said GreyNoise Intelligence Head of Content Noah Stone. Organizations have been urged to ensure the implementation of multi-factor authentication and VPN security for RDP portals and internet-connected devices.
