Full Report
A large-scale botnet is targeting Remote Desktop Protocol (RDP) services in the United States from more than 100,000 IP addresses. [...]
Analysis Summary
# Incident Report: Massive Multi-Country Botnet Targeting US RDP Services
## Executive Summary
A large-scale, multi-country botnet initiated a coordinated attack campaign primarily targeting Remote Desktop Protocol (RDP) services across the United States starting around October 8, 2025. Attackers utilized RDP Web Access timing attacks and client login enumeration to identify valid user accounts. The primary impact centers on widespread reconnaissance and credential discovery attempts, prompting immediate recommendations for network hardening and MFA implementation.
## Incident Details
- **Discovery Date:** Shortly after initial activity spike on October 8, 2025.
- **Incident Date:** Campaign started on October 8, 2025.
- **Affected Organization:** Unspecified organizations hosting accessible RDP services, predominantly in the US.
- **Sector:** Varies (targets RDP systems across multiple potential sectors).
- **Geography:** Attacks originated from a botnet spanning over 100 countries, with high volumes detected from Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador, targeting US systems.
## Timeline of Events
### Initial Access
- **Date/Time:** Starting October 8, 2025.
- **Vector:** Direct connection attempts against publicly exposed RDP services.
- **Details:** The botnet initiated reconnaissance using two primary methods:
1. **RD Web Access timing attacks:** Measuring response time differences during anonymous authentication flows to infer valid usernames.
2. **RDP web client login enumeration:** Observing server behavior and responses when interacting with the RDP Web Client login flow to enumerate user accounts.
### Lateral Movement
- Lateral movement details are **not specified**, as the observed activity focused primarily on initial access/reconnaissance against RDP endpoints.
### Data Exfiltration/Impact
- The phase observed was primarily **reconnaissance and credential stuffing/enumeration**, rather than confirmed data exfiltration. The impact is the exposure of valid usernames and potential system takeover if credentials were successfully brute-forced or guessed following enumeration.
### Detection & Response
- **How it was discovered:** GreyNoise detected the activity following an unusual traffic spike originating predominantly from Brazilian IPs, which subsequently widened across several other nations.
- **Response actions taken:** Recommendations were issued to system administrators to immediately review RDP logs and block known malicious IP addresses observed in the attack wave.
## Attack Methodology
- **Initial Access:** Brute-force/Reconnaissance against exposed RDP ports via specialized timing and enumeration techniques.
- **Persistence:** Not explicitly detailed, though RDP access itself could serve as persistence if a valid account is compromised.
- **Privilege Escalation:** Not detailed; aims appear focused on initial account compromise via enumeration.
- **Defense Evasion:** Unknown specific techniques, but the diversity of source IPs suggests distributed attack infrastructure (botnet).
- **Credential Access:** Timing attacks and web client login monitoring to enumerate usernames.
- **Discovery:** Probing RD Web Access endpoints and RDP web client flows.
- **Lateral Movement:** Not specified in the report context.
- **Collection:** Usernames are the primary target gathered during this phase.
- **Exfiltration:** Not detailed, assumed to follow successful credential compromise.
- **Impact:** Potential unauthorized system access and subsequent data theft or malware deployment.
## Impact Assessment
- **Financial:** Not quantified, but potential costs associated with remediation and service disruption from successful attacks.
- **Data Breach:** Potential exposure of user account information (usernames) on targeted systems. Volume unknown.
- **Operational:** Risk of service disruption if RDP systems are hijacked or overwhelmed by the attack traffic.
- **Reputational:** Risk if target organizations suffer confirmed breaches resulting from this activity.
## Indicators of Compromise
- **Network indicators (Defanged):** High volume of traffic exhibiting a common TCP fingerprint originating from IP ranges associated with Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador.
- **File indicators:** None reported.
- **Behavioral indicators:** Suspicious RDP probing activity, specifically measuring response latency on RD Web Access anonymous flows or observing varied server behavior between existing and non-existent user logins on RDP Web Clients.
## Response Actions
- **Containment measures:** System administrators advised to block source attack IP addresses identified during the campaign.
- **Eradication steps:** Systems that show evidence of successful enumeration or login attempts must have affected accounts reviewed and potentially reset.
- **Recovery actions:** None specified beyond immediate hardening and monitoring.
## Lessons Learned
- Reliance on easily accessible, publicly exposed RDP services remains a critical vulnerability exploited by large-scale automated attacks.
- The application layer techniques (timing attacks) show attackers are adapting beyond simple port scanning to infer valid credentials.
## Recommendations
- Remote Desktop Connection endpoints should **not** be directly exposed to the public internet.
- Implement a **Virtual Private Network (VPN)** as a mandatory intermediary to access RDP systems.
- Mandate **Multi-Factor Authentication (MFA)** for all RDP access points.
- Increase logging and alerting thresholds for suspicious RDP probing activity.