Cybersecurity firm GreyNoise said it has observed of a major increase in scanning activity targeting Microsoft Remote Desktop Web Access and RDP Web Client authentication portals. The firm reports that nearly 1,971 unique IP addresses were involved in what appears to be a coordinated reconnaissance campaign.
GreyNoise researchers believe the activity is probing for timing flaws, which are subtle differences in system response times that can inadvertently confirm valid usernames. Such flaws are often exploited in credential-based attacks such as brute-force or password-spraying campaigns.
“Separately but potentially relevant, on August 22 GreyNoise observed a spike in scanning for open proxies. This heightened activity follows recent anomalies observed on July 31 and August 9 against GreyNoise’s Open Proxy Scanner tag. Early research indicates there is partial overlap in client signatures between this spike and the RDP scan detected on August 21,” GreyNoise noted in the report.
According to the data, 1,851 of the IPs shared the same client signature, with approximately 92% already flagged as malicious. The vast majority of the scanning traffic originates from Brazil, while the targets are largely located in the United States suggesting a single botnet or shared attack tool may be responsible.
Researchers also noted the timing aligns with the US back-to-school season, a period when schools and universities typically reactivate RDP systems for students and staff.
“The timing may not be accidental. August 21 sits squarely in the US back-to-school window, when universities and K-12 bring RDP-backed labs and remote access online and onboard thousands of new accounts. These environments often use predictable username formats (student IDs, firstname.lastname), making enumeration more effective. Combined with budget constraints and a priority on accessibility during enrollment, exposure could spike,” GreyNoise explains. “The campaign’s US-only targeting aligns with that calendar —education and IT teams should harden RDP now and watch for follow-up activity from this same client signature.”
That being said, Windows administrators are strongly advised to take immediate steps like turning on multi-factor authentication, hiding RDP access from the public, and using a VPN when possible.