403/68 Wednesday, October 15, 2025
Researchers from the threat monitoring platform GreyNoise have detected a massive campaign leveraging over 100,000 botnet IP addresses worldwide to attack Remote Desktop Protocol (RDP) services in the United States. The campaign, which began on October 8, 2025, originates from multiple countries, including Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador, highlighting the use of a globally distributed botnet infrastructure.
The attacks primarily focus on RDP Web Access and RDP Web Client, employing two main techniques:
- RD Web Access Timing Attack: Attackers measure response time differences during anonymous authentication attempts to infer which usernames are valid.
- RDP Web Client Login Enumeration: Attackers interact with the RDP Web Client login process, entering usernames one by one and analyzing response variations to confirm existing accounts.
GreyNoise reported that nearly all IP addresses involved share the same TCP fingerprint, with differences in Maximum Segment Size (MSS) likely due to botnet clustering. Researchers recommend that system administrators block associated IPs, carefully review RDP usage logs, and avoid exposing Remote Desktop Connections directly to the internet. Instead, administrators should enforce connections through VPNs and implement Multi-Factor Authentication (MFA) to strengthen defenses and reduce the risk of compromise.
