Coordinated RDP Scans: Timing-Based Username Enumeration Targeting Education Sector

Security researchers have observed a coordinated, large‑scale reconnaissance campaign probing Microsoft Remote Desktop services that began as a sudden one‑day spike and escalated into a torrent of scans — a pattern that looks less like opportunistic background noise and more like deliberate preparation for credential‑based intrusions against U.S. targets, especially education networks. GreyNoise telemetry shows nearly 2,000 malicious IPs probing RD Web Access and the RDP Web Client authentication portals on August 21, followed by a vastly larger wave of scanning activity that exceeded 30,000 unique IPs a few days later.

Background / Overview​

Microsoft’s Remote Desktop Protocol (RDP) and Remote Desktop Services (RDS) are ubiquitous in enterprise, public‑sector, and education environments. They provide convenient remote administration and virtual lab access, but they also represent a large, exposed attack surface when services are internet‑facing or poorly constrained. RDP has been repeatedly targeted by opportunistic cybercriminals and advanced actors alike, and recent coordinated scanning activity suggests adversaries are intensifying reconnaissance ahead of credential stuffing, password spraying, or other credential‑based attacks.
GreyNoise’s report describes two distinct reconnaissance waves. The first, on August 21, 2025, involved roughly 1,971 IP addresses that probed both Microsoft RD Web Access and the RDP Web Client authentication endpoints almost simultaneously. GreyNoise researchers noted that 1,851 of those IPs shared an identical client signature, indicating a single toolset or botnet module behind much of the activity, and that about 92% of those IPs were previously classified as malicious. The telemetry was overwhelmingly targeted at U.S. hosts, with a disproportionate number of probe origins mapped to Brazil. A second, more expansive wave on August 24 involved over 30,000 unique IP addresses triggering the same tags.
Security outlets corroborated GreyNoise’s findings and highlighted the likely objective: timing‑based username enumeration. Attackers are testing authentication workflows for tiny response‑time discrepancies that can reveal whether a username exists on a targeted system — a stealthy precursor to later password attacks. (bleepingcomputer.com, darkreading.com)

---

Why this campaign matters (technical and operational context)​

Timing‑based enumeration: why small timing differences matter​

Timing attacks against authentication flows exploit measurable differences in server response times between valid and invalid usernames (or other authentication states). An attacker that can submit many carefully spaced probes and measure response times can infer valid accounts without triggering typical brute‑force thresholds or account‑lockout rules. This makes timing enumeration a powerful reconnaissance tool because it converts noisy scanning into a high‑value list of confirmed usernames for further attacks. GreyNoise observed precisely this behavior against RDP web authentication endpoints.

Why education is an attractive target now​

The surge coincides with the U.S. back‑to‑school window, when universities and K‑12 districts bring RDP‑backed labs and remote access systems back online. Those environments frequently use predictable username schemas (student IDs, firstname.lastname), which significantly amplifies the success rate of enumeration. Attackers who harvest confirmed username lists from schools can later mount credential stuffing or password‑spray attacks with a high success probability. GreyNoise specifically called out this timing and motive in their analysis.

Single toolset / botnet signals​

The widespread reuse of a single client signature across thousands of IPs suggests either a centralized botnet with a shared scanning module or a widely distributed toolset controlled by one actor or coordinated group. When most scanning IPs are already flagged malicious, that further supports the hypothesis of organized, automated reconnaissance rather than casual research.

---

What researchers verified (numbers and claims)​

• August 21, 2025: ~1,971 unique IPs probed Microsoft RD Web Access and RDP Web Client auth endpoints.
• 1,851 of those IPs shared the same client signature; ~92% were already tagged malicious.
• August 24, 2025: a follow‑up wave exceeded 30,000 unique IPs triggering the same scanning behavior. (bleepingcomputer.com, greynoise.io)
• Targeting skewed to U.S. endpoints while probing infrastructure largely traced to Brazil as the apparent source region. Analysts caution that geolocation is not definitive attribution because botnets often route through compromised hosts in many countries. (greynoise.io, redhotcyber.com)

These core observations are corroborated across multiple independent reports and GreyNoise’s own telemetry, making the numbers the most load‑bearing claims in public reporting. (greynoise.io, bleepingcomputer.com)

---

Critical analysis: what’s clear, what’s uncertain, and what should worry defenders​

Clear signals (high confidence)​

• The telemetry shows an unusual, highly coordinated scanning pattern against Microsoft RDP web authentication portals over a short window. The scale and uniform signature across hosts are indicators of automation and orchestration rather than random scanning.
• The immediate tactical objective appears to be username enumeration via timing discrepancies — a logical precursor to credential stuffing or password spraying.

Reasonable inferences (moderate confidence)​

• The focus on U.S. educational institutions during back‑to‑school implies target selection based on predictable username patterns. This is a plausible operational assumption and is supported by GreyNoise commentary, but it remains an inference based on timing and target telemetry rather than direct access to attacker intent.
• The reuse of client signatures strongly suggests a single botnet or shared toolkit; however, whether this is criminal-for-profit infrastructure or a nation‑state asset cannot be reliably determined by signature overlap alone.

Unverified claims and caveats (low confidence)​

• Some outlets and aggregators repeat speculative percentages (e.g., “80% chance of major exploits”) or assert likely ransomware follow‑ups. These narratives are possible but not verifiable from the telemetry alone. Claims about future weaponization or imminent zero‑day exploitation must be treated cautiously unless corroborated by additional indicators such as exploit code, active intrusion reports, or vendor advisories. Flag these as speculative. (cybersecuritynews.com, redhotcyber.com)

Attribution pitfalls​

• IP geolocation should not be confused with actor origin. Botnets commonly use compromised hosts in third‑party countries for scanning, so the prevalence of Brazilian IPs most likely reflects the geographic distribution of compromised devices rather than the attackers’ true location. Defenders must avoid simplistic nation attribution based solely on source IPs.

---

Technical verification and related RDP vulnerabilities (what you should patch)​

While the GreyNoise campaign reflects reconnaissance rather than exploitation, the environment is already tense for RDP administrators because RDP‑adjacent vulnerabilities and DoS issues have been actively patched in recent months. Internal forum and industry analysis have documented serious RDP issues — including path traversal vulnerabilities in the Remote Desktop client and resource‑exhaustion flaws affecting Remote Desktop Services — that change the risk calculus for anyone exposing RDP to the internet. Administrators should ensure all relevant Microsoft security updates are installed and that client and server configurations follow best practices.

---

Defensive playbook — prioritized, practical actions (immediate to 90 days)​

Below is a prioritized, actionable checklist to reduce exposure and harden Remote Desktop infrastructure against enumeration and follow‑on attacks.

Immediate (within 24 hours)​

• Block public RDP access: Ensure that TCP 3389 (and any RD Web Access/RDP Web Client endpoints) are not directly reachable from the public internet. Use firewall rules to restrict access to trusted administrative IPs or use VPN/ZTNA to mediate connections.
• Enforce MFA for all remote access: Require multi‑factor authentication for any remote desktop or gateway access. MFA mitigates the impact of username leaks.
• Apply critical patches: Confirm that latest Microsoft security updates for RDS and Remote Desktop Clients are installed on servers and admin workstations. If patching is not immediately possible, apply temporary mitigations or isolate affected hosts.

Short term (24–72 hours)​

• Enable Network Level Authentication (NLA) and configure RD Gateway with strong TLS settings. NLA reduces the attack surface by requiring early authentication.
• Implement allow‑listing: Restrict RDP access to known, managed IP ranges where feasible; block or rate‑limit all other inbound attempts.
• Harden authentication workflows: Reduce timing‑leak surfaces by ensuring uniform error messages and consistent response handling where practical; consult web‑app and gateway configuration guidance for RD Web Access/RDP Web Client to remove timing differences. (Where product settings do not permit perfect uniformity, focus on compensating controls such as MFA and proxy gating.)

Medium term (1–4 weeks)​

• Deploy honeypots / canary accounts: Deliberate, monitored accounts that should never see login traffic can detect enumeration attempts quickly.
• Threat intelligence integration: Feed GreyNoise or equivalent threat feeds into perimeter devices and SIEM to automatically block known malicious client signatures and IPs.
• SIEM rules for timing enumeration: Create analytic rules to detect repeated, high‑resolution login probes that measure subtle timing distributions rather than brute‑force counts. While complex, these can detect sophisticated enumeration campaigns early.
• Conduct an exposure audit: Inventory RD Web Access, RDP Web Client, RD Gateway, and any RDS hosts accessible outside the corporate perimeter. Remove or isolate services that are unnecessary.

Longer term (1–3 months)​

• Move to Zero Trust access: Replace direct public RDP exposure with ZTNA solutions that enforce per‑session authorization and contextual policy.
• Privileged Access Workstation (PAW) model: Use dedicated, restricted administrative jump hosts to perform RDP sessions, minimizing the client attack surface and exposure of privileged credentials.
• User naming and account hygiene: Where possible, avoid predictable username schemas for large user populations (education uses are an exception; in those cases, enforce stronger MFA and session protections).
• Regular red‑team and phishing simulations: Validate controls against realistic recon and credential stuffing scenarios.

---

Detection guidelines — what to log and what to watch for​

• High‑volume, short‑duration authentication probes against RD Web Access/RDP Web Client from many dispersed IPs that share client fingerprints.
• Repeated, low‑error‑rate attempts that change only the username field (this pattern is a classic enumeration trace).
• Early session behavior that correlates to different latency or response profiles depending on username validity — monitor response time distributions aggregated per endpoint.
• Outbound authentication failures or unexpected admin client connections to unknown RDP servers (this can indicate a compromised admin client talking to an attacker‑controlled host).
• Use EDR to detect post‑auth malicious behavior and to protect administrator workstations from connection‑initiated compromises.

---

Policy and operational considerations​

• Account lockout policies must be calibrated: overly aggressive lockouts can create denial‑of‑service vectors; too lenient allows brute force. Prefer adaptive, risk‑based lockout combined with MFA.
• Do not equate IP geolocation with attacker origin. Investigations should assume compromised infrastructure is being abused as a proxy.
• For education IT: schedule a security hardening window around academic start dates and onboard rotation events; predictable calendars create predictable attack opportunities.

---

What to tell senior leadership (brief talking points)​

• A coordinated scanning campaign probed Microsoft RDP authentication portals at scale (≈1,971 IPs on Aug 21 and >30,000 IPs by Aug 24), with the likely goal of harvesting valid usernames via timing differences. (greynoise.io, bleepingcomputer.com)
• Confirmed usernames significantly increase the risk of successful credential stuffing or password‑spray attacks; MFA and restricted access substantially reduce that risk.
• The activity is reconnaissance — not an active compromise — but it should be treated as high‑priority because it precedes successful credential exploitation in many incidents.
• Immediate mitigations (block public RDP, enforce MFA, patch, and integrate threat feeds) materially reduce exposure and are cost‑effective.

---

Limits of current public evidence — flagged uncertainties​

• Public telemetry shows scanning and enumeration techniques, but there is no public evidence at this time that these scans exploited a zero‑day on target systems. Observers note that scanning spikes often precede vulnerability disclosures, but that is correlation, not proof. Treat claims about imminent zero‑day exploitation as speculative until exploit samples or vendor advisories appear. (darkreading.com, greynoise.io)
• Some outlets repeated speculative percentages or worst‑case forecasts; those figures are not substantiated by the raw telemetry and should be quoted only with caution.

---

Final assessment — risk posture and recommended urgency​

This campaign elevates the risk profile for any organization that exposes RD Web Access, RDP Web Client, RD Gateway, or plain RDP to the internet. The reconnaissance pattern — concentrated, orchestrated, and targeted during an operationally predictable window — demonstrates methodical attacker behavior aimed at harvesting valid usernames and mapping exposed endpoints. The defensive measures that offer the highest immediate return are straightforward: remove public exposure, enforce strong MFA, apply Microsoft security updates, and integrate telemetry from threat feeds like GreyNoise to block known malicious client signatures. (greynoise.io, bleepingcomputer.com)
The intelligence picture is clear enough to justify urgent action by IT teams: treat RDP exposure as high‑risk, prioritize control hardening today, and monitor for any escalation or public advisories from vendors that would indicate exploitation of a software vulnerability. At the same time, avoid premature attribution or panic‑driven assumptions about the attackers’ capabilities beyond what the telemetry supports.

---

Acknowledging the scale and organization observed in the GreyNoise telemetry and the corroborating industry reports, defenders should act now: adopt a zero‑tolerance posture for internet‑facing RDP where possible, require MFA everywhere RDP remains necessary, and feed the organization’s detection stack with the latest threat signatures and behavioral rules to catch timing‑based enumeration and the inevitable credential attacks that often follow reconnaissance campaigns. (greynoise.io, bleepingcomputer.com, darkreading.com)

---

Source: Petri IT Knowledgebase Massive Attack Campaign Hits Microsoft Remote Desktop Services