Internet intelligence firm GreyNoise has identified a significant and coordinated surge in scanning activity directed at Microsoft Remote Desktop Protocol (RDP) authentication servers. This campaign, involving nearly 1,971 distinct IP addresses, is probing Remote Desktop Web Access and RDP Web Client portals in unison, indicating a large-scale reconnaissance effort likely preceding more aggressive credential-based attacks1. This activity underscores the persistent and evolving threat landscape surrounding RDP, a protocol that has become a primary initial access vector for threat actors ranging from ransomware operators to state-sponsored groups.
The timing of these scans is particularly noteworthy, as they are designed to identify timing flaws that can be exploited to verify valid usernames on target systems. Compiling a list of valid usernames is the critical first step in brute-force or password-spraying campaigns, which often lead to full network compromise1. This method of reconnaissance allows attackers to operate with greater efficiency and stealth before launching their main assault.
The Enduring Attraction of RDP as an Attack Vector
The shift to remote work dramatically increased the number of internet-facing RDP endpoints, making them a prime target for attackers. Exposed RDP servers provide a direct pathway into a network and are often sold for as little as $5 on dark web marketplaces2. A case study by Darktrace detailed the compromise of a physical security company that began with an internet-facing RDP server. The attack unfolded over a weekend, progressing from initial intrusion through internal reconnaissance and lateral movement using native Windows tools, and was only halted before final ransomware deployment objectives were achieved2. This pattern of initial access, credential theft, lateral movement, and payload deployment is consistent across human-operated attacks.
Ransomware groups frequently use RDP exploitation as their initial access vector. According to a Microsoft analysis, these attackers often compromise networks and lie dormant for months, waiting for an opportune time to deploy ransomware for maximum impact and financial gain4. A report from Fox-IT, citing Coveware, found that 42% of ransomware cases in Q2 2021 leveraged RDP compromise as the initial attack vector, describing it as a “cheap and profitable” method for threat actors11.
Historical Precedents and Evolving Tactics
The threat landscape for RDP is not new; it has a long history of critical vulnerabilities. Landmark flaws like BlueKeep (CVE-2019-0708), a critical, wormable Remote Code Execution vulnerability affecting older Windows versions, demonstrated the severe risks inherent in the protocol3. Earlier critical vulnerabilities, such as those patched in MS12-020 and MS12-053, were so severe that Microsoft released patches for unsupported operating systems like Windows XP79. The persistence of these vulnerabilities underscores the importance of rigorous patch management.
Attack methods have evolved significantly. The GoldBrute botnet, discovered in 2019, employed a unique distributed attack method where each infected bot attempted only one username/password combination per target IP. This approach made brute-force attacks appear to originate from countless sources, effectively evading traditional account lockout policies and detection mechanisms8. The current wave of scans appears to be a more coordinated version of this distributed reconnaissance philosophy.
Geopolitical Dimensions and Infrastructure Abuse
Recent activity shows that RDP attacks are not solely the domain of cybercriminals but are also tools in geopolitical conflicts. A detailed report from Heimdal Security describes a Russia-linked brute-force campaign actively targeting European Union corporate and institutional networks610. This campaign, active since at least May 2024, leverages compromised Microsoft infrastructure in Belgium and the Netherlands to mask its origin and avoid detection. Over 60% of attack IPs are linked to Moscow, with high-value targets in cities like Edinburgh and Dublin10.
The technical breakdown of this campaign reveals a heavy reliance on RDP crawlers. Attack techniques include SMBv1 Crawler (32.4%), RDP Crawler (27.4%), and RDP Alt Port Crawler (8.1%), with sub-techniques covering password guessing, spraying, and credential stuffing10. Notably, 55% of the top attack IPs were recently compromised Microsoft IPs, and actors also leveraged infrastructure from Indian ISPs that had suffered major data breaches10. This abuse of trusted infrastructure makes detection more challenging for defensive teams.
Detection, Mitigation, and Defensive Posture
Defending against these threats requires a multi-layered approach centered on minimizing exposure and enhancing visibility. The primary and most effective recommendation is to eliminate direct internet exposure of RDP servers entirely11. Secure alternatives include implementing a Remote Desktop Gateway (RD Gateway) with SSL encryption, using a VPN protected by multi-factor authentication (MFA), or adopting a cloud-hosted solution like Azure Virtual Desktop.
For organizations that must expose RDP, implementing Network Level Authentication (NLA) is a critical mitigation. NLA requires authentication before a full session is created, which can block exploitation attempts by unauthenticated attackers, as was the case with the MS12-020 vulnerability9. Furthermore, enabling detailed logging is essential for detection and forensic analysis. Windows Event Logs provide crucial data for threat hunting.
Microsoft has enhanced its defensive tools in response to these threats. Microsoft Defender for Endpoint now includes enriched telemetry for RDP sessions, allowing defenders to see if a process was initiated from an RDP session, along with the device name and IP address of the remote source5. This data enables more accurate detection of human-operated attacks, as malicious activity originating from a remote session is a strong indicator of compromise.
The recent surge in coordinated scanning activity targeting Microsoft RDP servers is a clear indicator of continued adversary interest in this protocol. This reconnaissance effort is almost certainly a precursor to more damaging attacks, including credential-based breaches, lateral movement, and ransomware deployment. The historical context of critical RDP vulnerabilities, combined with the evolution of attack tactics and the emergence of geopolitical motives, makes a robust defense-in-depth strategy non-negotiable. Prioritizing the removal of RDP from direct internet access, enforcing strong credential policies with MFA, applying patches diligently, and implementing advanced monitoring for RDP-related events are essential steps to mitigate this pervasive threat.
