CyberHappenings logo
☰
🏠 Home 📂 Browse ℹī¸ About

Massive coordinated scans target Microsoft RDP authentication servers

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

A significant surge in coordinated scanning activity targeting Microsoft Remote Desktop Web Access and RDP Web Client authentication portals has been observed. Nearly 1,971 IP addresses were involved in the initial wave, with a second wave involving over 30,000 IP addresses occurring on August 24. The scans are probing for timing flaws that could be exploited in future credential-based attacks. The activity is unusual, with typically only 3–5 IP addresses performing such scans daily. The scans originate predominantly from Brazil and target IP addresses in the United States. The timing coincides with the US back-to-school season, when educational institutions may be bringing RDP systems back online. This period sees an increase in new accounts and predictable username formats, making enumeration more effective. The scans could indicate the discovery of a new zero-day vulnerability, with historical data showing that such spikes often precede new vulnerabilities within six weeks.

Timeline

  1. 26.08.2025 22:56 📰 1 articles

    Second wave of scans involving over 30,000 IP addresses

    A second wave of scans occurred on August 24, involving over 30,000 IP addresses. The scans are likely performed by a single threat actor or group, possibly using a centrally controlled botnet. The activity targets the education sector, which is more vulnerable due to predictable username formats and increased RDP usage during the back-to-school period. The scanning activity could lead to password spraying or credential stuffing attacks, posing an urgent threat to organizations, especially in the education sector. The scans could indicate the discovery of a new zero-day vulnerability, with historical data showing that such spikes often precede new vulnerabilities within six weeks.

    Show sources
    Open in new tab
  2. 26.08.2025 02:43 📰 2 articles

    Nearly 1,971 IP addresses involved in coordinated scans of Microsoft RDP authentication servers

    A significant surge in coordinated scanning activity targeting Microsoft Remote Desktop Web Access and RDP Web Client authentication portals has been observed. The scans are probing for timing flaws that could be exploited in future credential-based attacks. The activity is unusual, with typically only 3–5 IP addresses performing such scans daily. The scans originate predominantly from Brazil and target IP addresses in the United States. The timing coincides with the US back-to-school season, when educational institutions may be bringing RDP systems back online. This period sees an increase in new accounts and predictable username formats, making enumeration more effective.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chinese State-Sponsored Actors Compromise Global Critical Infrastructure Networks

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.

Open in new tab

Russian State-Sponsored Hackers Exploit Cisco Vulnerability for Cyber Espionage

The Russian state-sponsored cyber espionage group Static Tundra is exploiting a seven-year-old vulnerability (CVE-2018-0171) in Cisco IOS and Cisco IOS XE software to establish persistent access to target networks. The group, linked to the FSB's Center 16 unit, targets telecommunications, higher education, manufacturing, and critical infrastructure sectors across North America, Asia, Africa, and Europe, including increased attacks in Ukraine since the start of the war. The attacks involve exploiting the Smart Install feature to execute arbitrary code and collect configuration files from thousands of networking devices. The group uses custom tools like SYNful Knock for persistence and employs SNMP to gain unauthorized access. The primary goal is long-term intelligence gathering, with a focus on strategic interests of the Russian government. The FBI and Cisco have issued advisories warning about the ongoing exploitation of this vulnerability, urging organizations to patch or disable the Smart Install feature. End-of-life devices are particularly vulnerable, as they no longer receive security updates, creating persistent attack vectors. The FBI has detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. The actors used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems. The same hacking group has previously targeted the networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The U.S. Department of State has offered a $10 million reward for information on three FSB officers involved in these cyberattacks, highlighting the group's extensive targeting of critical infrastructure and energy companies globally. The three officers, Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov, targeted over 380 energy-sector companies in 135 countries. They were involved in the Dragonfly campaign, which included obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise.

Open in new tab

DripDropper Malware Campaign Exploits and Patches CVE-2023-46604 in Apache ActiveMQ

A threat actor, dubbed DripDropper, exploited a nearly 2-year-old vulnerability (CVE-2023-46604) in Apache ActiveMQ to compromise Linux servers. The attacker then patched the same vulnerability to prevent other threat actors from exploiting it. The campaign involved deploying a new malware loader, DripDropper, which communicates with an attacker-controlled Dropbox account. The attackers used various tools, including the Sliver framework and Cloudflare Tunnels, to maintain persistent access to compromised systems. The attackers modified existing sshd configurations to enable root login, granting them elevated access. The DripDropper malware is a PyInstaller ELF binary that requires a password to run, resisting analysis. The campaign highlights the importance of timely patching and robust security practices. The attackers targeted Linux servers running vulnerable versions of Apache ActiveMQ. They used the vulnerability to gain initial access, perform reconnaissance, and deploy malware. The campaign was discovered by Red Canary while monitoring cloud-based Linux environments. The attackers' tactics included patching the exploited vulnerability to prevent other threat actors from using the same flaw and to avoid detection by automated scans.

Open in new tab