Article Details

Massive multi-country botnet targets RDP services in the US. A large-scale botnet is targeting Remote Desktop Protocol (RDP) services in the United States from more than 100,000 IP addresses. The campaign started on October 8 and based on the source of the IPs, researchers believe the attacks are launched by a multi-country botnet. RDP is a network protocol that enables remote connection and control of Windows systems. It is typically used by administrators, helpdesk staff, and remote workers. Attackers often scan for open RDP ports or try to brute-force logins, exploit vulnerabilities, or perform timing attacks. In this case, researchers at threat monitoring platform GreyNoise found that the botnet relies on two types of RDP-related attacks: GreyNoise detected the campaign after an unusual traffic spike from Brazil, followed by similar activity from a wider geography, which includes Argentina, Iran, China, Mexico, Russia, South Africa, and Ecuador. The company says that the full list of countries with compromised devices in the botnet exceeds 100. Nearly all IP addresses share a common TCP fingerprint, and although there are variations in the (Maximum Segment Size), the researchers believe that these are due to the clusters forming the botnet. To defend against this activity, system administrators are recommended to block the IP addresses that launch the attacks and to check the logs for suspicious RDP probing. As a general recommendation, a remote desktop connection should not be exposed to the public internet and adding a VPN and multi-factor authentication (MFA) adds a layer of protection. The Security Validation Event of the Year: The Picus BAS Summit Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation. Don't miss the event that will shape the future of your security strategy