A coordinated cyber campaign has been targeting Remote Desktop Protocol (RDP) services across the US since October 8, threat intelligence firm GreyNoise has warned. The campaign involves more than 100,000 unique IP addresses spanning over 100 countries, in what GreyNoise describes as a centralized botnet attack.
The malicious activity includes the RD Web Access timing attacks and RDP web client login enumeration. The both methods are designed to silently probe and identify vulnerable RDP endpoints, potentially paving the way for further exploitation or unauthorized access.
The botnet traffic comes from Brazil, Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador, with almost all of the IP addresses involved exhibiting a nearly identical TCP fingerprint.
“Almost all traffic shared one similar TCP fingerprint, with only the MSS changing. MSS in this context likely changes depending on the compromised botnet cluster. The timing and pattern of targeting implies coordinated activity with centralized control,” the threat intelligence firm noted.
Separately, cybersecurity company Trend Micro has warned in its recent report that a large-scale RondoDox botnet campaign is exploiting over 50 vulnerabilities across more than 30 vendors, targeting flaws found in routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices.