Internet intelligence firm GreyNoise has flagged a sharp uptick in scanning activity targeting Microsoft Remote Desktop Web Access and RDP Web Client login portals. The company recorded 1,971 unique IP addresses performing simultaneous probing, a dramatic shift from the typical 3–5 daily scans. This unusual volume strongly indicates a coordinated reconnaissance effort, likely a precursor to credential-based attacks.
Source: greynoise.com.
The campaign is reportedly exploiting timing flaws—small differences in response time when login attempts are made with valid versus invalid usernames. These differences can be used to verify existing usernames without needing to test passwords, giving attackers a useful foothold for future brute-force or password-spraying campaigns.
GreyNoise found that 92% of the IP addresses shared a common client signature and were already flagged as malicious. The vast majority originated from Brazil, while the targets were primarily in the United States. This suggests the activity could stem from a single botnet or an orchestrated use of a common toolset.
The scans coincided with the U.S. back-to-school season, a time when K–12 schools and universities bring many RDP-backed systems online to support students and staff. These institutions often use easily guessable usernames and may lack strong security controls due to budget limitations. GreyNoise also cautioned that this level of scanning could be an early signal of a new RDP vulnerability yet to be disclosed.
Healthcare organizations using Microsoft RDP for remote access should immediately review their exposure. Disable public RDP access where possible, and require multi-factor authentication (MFA) on all remote logins. Where RDP is necessary, place systems behind a VPN or gateway, enforce account lockout policies, and monitor for abnormal login patterns. With healthcare increasingly relying on remote systems and facing tight budgets like the education sector, now is the time to shore up authentication defenses before attackers exploit these reconnaissance efforts.
