BleepingComputer reports that attacks involving a massive multi-country botnet have been aimed at U.S.-based Remote Desktop Protocol services since Oct. 8.More than 100,000 IP addresses from across over 100 countries, including Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador, have been leveraged by the botnet to deploy RD Web Access timing intrusions that scour RD Web Access endpoints and gauge anonymous authentication flows' response-time differences for valid username inferencing, according to an analysis from GreyNoise.The botnet also depends on RDP web client login enumeration that facilitates user account cataloging through server behavior and response variations. Researchers have discovered a common TCP fingerprint across most IP addresses, with Maximum Segment Size differences attributed to the botnet's clusters.Organizations' system administrators have been advised to not only prohibit the identified IP addresses but also continuously monitor suspicious RDP scanning in their logs.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds