Not a Slow Internet, But an Attack — Hackers Use "Time Arithmetic" to Hack Windows Servers
How Milliseconds Break Authentication.
How Milliseconds Break Authentication.
GreyNoise has detected a sharp and atypical surge in reconnaissance activity targeting Microsoft Remote Desktop Web Access (RD Web Access) and the RDP Web Client: 1971 unique IP addresses were active simultaneously, whereas the company typically sees only 3-5 such sources per day.
According to analysts, the synchronicity and scale point to a coordinated campaign where attackers are probing the behavior of authentication portals and preparing the ground for subsequent password attacks. In 1851 cases, the same client "fingerprint" was observed, with about 92% of these nodes already flagged as malicious. The primary traffic originated from Brazil and targeted addresses in the United States, which aligns with the hypothesis of a single botnet or a shared set of tools.
The goal of this scanning wave is to find timing attacks, where a microscopic difference in response time inadvertently reveals sensitive information. If the RDP web portal responds to a login attempt with an existing username slightly faster than to a request for a non-existent user, it creates an opportunity to confirm the validity of logins without knowing the password—a classic side-channel timing attack.
Based on the timing of the surge, researchers point to August 21st—the period when the US school year begins. During these days, schools and universities massively spin up RDP services for remote labs, create numerous new user accounts, and temporarily prioritize accessibility over strict security restrictions. Such environments often use predictable login schemes—from student IDs to "firstname.lastname" patterns—which further increases the effectiveness of username enumeration. Budget constraints in education also play a role: where the priority is quickly connecting thousands of users, security controls and protective mechanisms are often implemented with delay.
GreyNoise emphasizes that similar spikes from past experience often precede the public disclosure of fresh vulnerabilities. Even if this is merely preparation for subsequent password attacks, the risks remain high: confirming a login reduces the attack surface for brute-forcing and increases the effectiveness of both targeted brute-force attacks and password spraying against a large number of accounts.
Administrators of Windows infrastructures are recommended to immediately eliminate simple compromise scenarios. The minimum measure is mandatory multi-factor authentication (MFA) for all accounts with access to RDP web portals and moving these portals behind a VPN or other remote access perimeter. Additionally, it is worth restricting external access to RD Web Access based on allowlists, enabling aggressive limits on login attempts, and carefully evaluating any differences in response time that could turn into a side-channel leak.
