Internet intelligence firm GreyNoise reports that it has recorded a significant spike in scanning activity consisting of nearly 1,971 IP addresses probing Microsoft Remote Desktop Web Access and RDP Web Client authentication portals in unison, suggesting a coordinated reconnaissance campaign.

The researchers say that this is a massive change in activity, with the company usually only seeing 3–5 IP addresses a day performing this type of scanning.

GreyNoise says that the wave in scans is testing for timing flaws that could be used to verify usernames, setting up future credential-based attacks, such as brute force or password-spray attacks.

Timing flaws occur when the response time of a system or request unintentionally reveals sensitive information. In this case, a slight timing differe

See Full Page