A large-scale multi-country botnet is actively targeting Remote Desktop Protocol (RDP) services in the United States, exploiting vulnerabilities through specialized timing and enumeration attacks. Researchers recommend blocking attacking IPs and enhancing RDP security measures like VPNs and multi-factor authentication. #RDP #GreyNoise
Keypoints
- The botnet is targeting RDP services from over 100,000 IP addresses worldwide.
- Two main attack types are used: RD Web Access timing attacks and web client login enumeration.
- Initial activity was detected from Brazil, with subsequent activity spreading across multiple countries including Iran and Russia.
- Most attacking IPs share a common TCP fingerprint, indicating botnet clustering.
- Recommended defenses include blocking suspicious IPs, avoiding public exposure of RDP, and implementing VPNs and multi-factor authentication.