Close Menu
Cybercrime and Ransomware

Over 100,000 IPs Target RDP Services in Widespread Attacks

Staff WriterBy No Comments4 Mins Read0 Views

Quick Takeaways

  1. A large, coordinated botnet campaign is actively targeting RDP services across over 100 countries, primarily focusing on U.S. infrastructure, posing a significant threat to remote work operations.
  2. The attack involves over 100,000 IPs exhibiting similar TCP fingerprints, indicating centralized command-and-control, and uses sophisticated methods like timing hacks and credential guessing to bypass security.
  3. GreyNoise has identified and linked this activity to a single, organized operation, prompting the release of a dynamic blocklist and urging organizations to monitor for unusual RDP traffic.
  4. To mitigate risks, security experts recommend enforcing strong passwords, multi-factor authentication, and applying GreyNoise’s blocklist to restrict malicious IPs and defend RDP endpoints effectively.

The Issue

In October 2025, cybersecurity analysts at GreyNoise uncovered a highly organized and large-scale botnet campaign targeting Remote Desktop Protocol (RDP) services primarily within the United States. Originating from over 100,000 IP addresses across more than 100 countries—including Brazil, Argentina, Iran, China, Mexico, Russia, and South Africa—the attack appears orchestrated by a centralized operator or group controlling a unified command-and-control network. The malicious actors employed sophisticated strategies, such as timing attacks on RD Web Access and credential guessing via web client login enumeration, to silently identify and exploit vulnerable RDP systems without triggering immediate security alerts. The coordinated and technical similarity across the attacking nodes strongly suggests a single controlling entity executing this widespread assault.

GreyNoise reports emphasize that this campaign endangers organizations reliant on RDP for remote work and system administration, urging them to review their security practices. The researchers recommend vigilant monitoring for suspicious RDP activity, implementing strict password policies, and adopting multi-factor authentication to mitigate potential breaches. Additionally, GreyNoise has provided a dynamic blocklist, “microsoft-rdp-botnet-oct-25,” enabling defenders to automatically block IPs associated with this botnet, thereby shutting down the attack vectors at the network edge. This extensive operation highlights the evolving sophistication of cyber threats and underscores the importance of proactive defense measures.

Risk Summary

A vast, orchestrated botnet campaign is actively targeting Remote Desktop Protocol (RDP) services across the United States, originating from over 100,000 unique IP addresses spanning more than 100 countries, primarily driven by a centralized command structure. This coordinated effort employs sophisticated methods—timing attacks to gauge server responses and credential enumeration—to stealthily identify and exploit vulnerable RDP systems, risking severe operational disruptions, data breaches, and financial loss for organizations reliant on remote access. The pervasive, high-scale nature of this threat underscores the critical need for vigilant monitoring, implementation of robust security protocols such as multi-factor authentication, and proactive network defenses like dynamic IP blocking—measures essential to mitigating the substantial cyber risk posed by this organized cybercrime operation.

Possible Action Plan

Prompted by the alarming surge of hackers attacking Remote Desktop Protocol (RDP) services from over 100,000 IP addresses, it becomes crucial to act swiftly to protect sensitive data and maintain system integrity. Rapid and effective remediation can prevent breaches, minimize downtime, and safeguard organizational reputation.

Strengthen Authentication
Implement multi-factor authentication (MFA) to add an extra layer of security beyond simple passwords.

Update and Patch
Regularly apply security patches and updates to RDP services and related software to fix known vulnerabilities.

Network Restrictions
Limit RDP access to a specific known set of IP addresses or geographies using firewall rules.

Disable RDP Access
Disable RDP if not essential, or restrict it to management networks only, reducing attack surface.

Use VPNs
Require VPN connections for remote access, ensuring encrypted tunnels and controlled entry points.

Monitor Traffic
Implement real-time monitoring with intrusion detection systems (IDS) to identify and respond to suspicious activity quickly.

Change Default Ports
Modify the default RDP port (3389) to a non-standard one to diminish scanning risks.

User Education
Train staff on security best practices, emphasizing the importance of strong, unique passwords and recognizing phishing attempts.

Backup Data
Regularly back up critical systems and data, enabling quick recovery if an attack occurs.

Explore More Security Insights

Discover cutting-edge developments in Emerging Tech and industry Insights.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.