CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Coordinated scans target Microsoft RDP authentication servers

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A surge in coordinated scans has been detected targeting Microsoft Remote Desktop Web Access and RDP Web Client authentication portals. Over 30,000 IP addresses were involved in the second wave of scanning activity, indicating a potential reconnaissance campaign. The scans exploit timing flaws to verify usernames, setting the stage for future credential-based attacks. The activity coincides with the US back-to-school season, suggesting possible targets in educational institutions. The scans originate predominantly from Brazil and target IP addresses in the United States. Approximately 92% of the IP addresses involved have been flagged as malicious. The scans are likely performed by a single threat actor or group, indicated by a centrally controlled botnet or residential proxy fleet. The scanning activity is predominantly from consumer ISPs in Latin America, with a heavy presence in Brazil.

Timeline

  1. 26.08.2025 22:56 1 articles · 1mo ago

    Second wave of scans targets over 30,000 IP addresses

    The second wave of scans occurred on August 24, involving over 30,000 IP addresses. The scans are likely performed by a single threat actor or group, indicated by a centrally controlled botnet or residential proxy fleet. The activity is predominantly from consumer ISPs in Latin America, with a heavy presence in Brazil. The scans target educational institutions due to predictable username formats and increased RDP usage during the back-to-school season. The scanning surges often precede new vulnerabilities, with 80% of cases resulting in a new vulnerability within six weeks of a spike.

    Show sources
    Open in new tab
  2. 26.08.2025 02:43 2 articles · 1mo ago

    Surge in coordinated scans targeting Microsoft RDP authentication servers detected

    The second wave of scans occurred on August 24, involving over 30,000 IP addresses. The scans are likely performed by a single threat actor or group, indicated by a centrally controlled botnet or residential proxy fleet. The activity is predominantly from consumer ISPs in Latin America, with a heavy presence in Brazil. The scans target educational institutions due to predictable username formats and increased RDP usage during the back-to-school season. The scanning surges often precede new vulnerabilities, with 80% of cases resulting in a new vulnerability within six weeks of a spike.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical deserialization flaw in DELMIA Apriso MOM actively exploited

A critical deserialization vulnerability in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software (CVE-2025-5086) is actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution (RCE) and has been exploited to deliver the Zapchast malware. DELMIA Apriso is used in production processes for digitalizing and monitoring, and is deployed in automotive, aerospace, electronics, high-tech, and industrial machinery divisions. The flaw is actively exploited via malicious SOAP requests to vulnerable endpoints, loading and executing a Base64-encoded, GZIP-compressed .NET executable embedded in the XML. The malicious requests were observed originating from the IP 156.244.33[.]162, likely associated with automated scans. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies are advised to apply updates by October 2, 2025.

Open in new tab

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

Open in new tab

Russian Hackers Exploit Old Cisco Vulnerability to Target U.S. Critical Infrastructure

Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.

Open in new tab

Growing threat landscape for AI agents and non-human identities

The rapid adoption of AI agents and non-human identities (NHIs) presents significant security challenges. These entities are increasingly targeted by adversaries, with known attack vectors growing rapidly. The unique characteristics of AI agents, such as autonomy and extensive access, exacerbate these risks. Security experts warn of a closing window of opportunity to secure these tools and data. The threat landscape includes data poisoning, jailbreaking, prompt injection, and the exploitation of abandoned agents. Recent research highlights the potential for malicious proxy settings and zero-click vulnerabilities. Proactive measures are essential to mitigate these risks and build robust defenses.

Open in new tab

Columbia University Enhances Security Posture with Logging and Automation

Columbia University has improved its security posture by implementing extensive logging and automation. This has helped the university detect and mitigate cyberattacks, including recent hacktivist incidents and a 2020s breach by state-sponsored actors. The university's logging solution has enabled it to track attacker activity, identify exploited ports, and trace back intrusion points. This has been crucial in minimizing the impact of attacks and enhancing incident response. The university's security team, despite being small, leverages automation and logging to cover nearly half of the university's systems. This approach has significantly reduced the number of security incidents and provided valuable insights into attacker tactics. Educational institutions are among the top targets for data breaches, making such measures essential for protecting sensitive information and maintaining operational security.

Open in new tab