CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Coordinated scans target Microsoft RDP authentication servers

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

A significant surge in coordinated scanning activity has been detected, targeting Microsoft Remote Desktop Web Access and RDP Web Client authentication portals. Nearly 1,971 IP addresses were involved in the initial wave, probing for timing flaws that could facilitate future credential-based attacks. A second, more massive wave occurred on August 24, featuring more than 30,000 IP addresses. The scans originated predominantly from Brazil and targeted IP addresses in the United States. The activity coincides with the US back-to-school season, suggesting potential exploitation of predictable username formats and increased exposure due to new accounts being onboarded. The scans may indicate the discovery of a new vulnerability, as such spikes in malicious traffic often precede vulnerability disclosures. The scans were likely performed by a single threat actor or group, indicated by a centrally controlled botnet or a large residential proxy fleet.

Timeline

  1. 26.08.2025 22:56 πŸ“° 1 articles Β· ⏱ 21d ago

    Single threat actor group identified behind RDP scanning waves

    The scans were likely performed by a single threat actor or group, indicated by a centrally controlled botnet or a large residential proxy fleet. The scans were exclusively directed toward the US, potentially targeting the education sector. The scanning surges often precede new vulnerabilities, with 80% of cases resulting in a new vulnerability within six weeks.

    Show sources
    Open in new tab
  2. 26.08.2025 02:43 πŸ“° 2 articles Β· ⏱ 21d ago

    Surge in coordinated scans targeting Microsoft RDP authentication servers

    A second, more massive wave of RDP scans occurred on August 24, featuring more than 30,000 IP addresses. The scans were likely performed by a single threat actor or group, indicated by a centrally controlled botnet or a large residential proxy fleet. The scans were exclusively directed toward the US, potentially targeting the education sector. The scanning surges often precede new vulnerabilities, with 80% of cases resulting in a new vulnerability within six weeks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of CVE-2025-5086 in DELMIA Apriso

CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.

Open in new tab

Chinese State-Sponsored Actors Targeting Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

Open in new tab

UNC6395 Exploits Salesloft OAuth Tokens to Exfiltrate Salesforce Data

UNC6395 exploited Salesloft OAuth tokens to exfiltrate data from Salesforce instances. The campaign, active from August 8 to 18, 2025, targeted over 700 organizations, exporting credentials and sensitive information. Zscaler, Palo Alto Networks, Cloudflare, Google, PagerDuty, Proofpoint, SpyCloud, Tanium, and Workiva were impacted by the breach, exposing customer information. Salesloft and Salesforce have taken remediation steps, and the threat actor demonstrated operational security awareness. The breach involved exporting large volumes of data from Salesforce instances, including AWS access keys, passwords, and Snowflake tokens. The actor deleted query jobs to cover tracks. Salesloft has revoked connections and advised customers to re-authenticate Salesforce integrations. The campaign may indicate a broader supply chain attack strategy. Salesloft has engaged Mandiant and Coalition for investigation and remediation. Drift customers are urged to update API keys for connected integrations. Salesforce removed the Drift application from the Salesforce AppExchange until further notice. Google has revealed that the campaign impacts all integrations, including Google Workspace email accounts, and has taken steps to mitigate the risk. Salesloft is temporarily taking Drift offline to review the application and build additional security measures. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.

Open in new tab

Insecure Consumer Devices Pose Threat to Hybrid Work Environments

Consumer devices in home networks are increasingly becoming attack vectors for enterprise systems in the hybrid work era. These devices are often unpatched, unsupported, and insecure, providing threat actors with an entry point into corporate environments. The risk is exacerbated by the fact that enterprise security teams have limited control over these devices. The D-Link camera and video recorders were recently added to the Known Exploited Vulnerabilities Catalog (KEV), highlighting the broader threat posed by consumer devices. These devices, when compromised, can intercept traffic, change DNS settings, or serve as a foothold for accessing other systems. They also contribute to the botnet ecosystem, which can be used to launch various attacks on corporate targets.

Open in new tab

ShadowCaptcha Campaign Exploits WordPress Sites to Deliver Malware

A large-scale campaign, codenamed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. The campaign uses fake CAPTCHA verification pages to trick users into executing malicious payloads. The attacks began in August 2025 and target various sectors, including technology, hospitality, legal/finance, healthcare, and real estate. The primary objectives are data theft, illicit cryptocurrency mining, and ransomware deployment. The campaign employs social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to maintain persistence on targeted systems. The attacks start with malicious JavaScript code injected into compromised WordPress sites, redirecting users to fake CAPTCHA pages. From there, the attack chain forks into two paths: one using the Windows Run dialog and the other guiding victims to save and run an HTML Application (HTA) file. The compromised sites are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel. The attackers likely gained access through known exploits in WordPress plugins and compromised credentials. The "Scattered Lapsus$ Hunters" group, linked to Shiny Hunters, Scattered Spider, and Lapsus$, has been identified as behind widespread data theft attacks targeting Salesforce data and other high-profile companies. The group has claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement and unauthorized access to sensitive user data. Mitigation strategies include user training, network segmentation, and securing WordPress sites with multi-factor authentication (MFA).

Open in new tab