Summary (Bottom Line Up Front)
IP address 91.239.248.69 conducted intensive RDP reconnaissance against network infrastructure on March 29, 2026, generating over 21,000 scanning events targeting port 3389. This medium-severity activity represents initial reconnaissance phase operations that typically precede credential brute-force attacks or exploitation attempts against exposed RDP services. Organizations should immediately review RDP exposure and implement additional access controls.
Activity Timeline
INITIAL REPORT2026-03-29T21:57:01Z
Source: Analyst Manual Entry
IP address 91.239.248.69 conducted intensive RDP reconnaissance against network infrastructure on March 29, 2026, generating over 21,000 scanning events targeting port 3389. This medium-severity activity represents initial reconnaissance phase operations that typically precede credential brute-force attacks or exploitation attempts against exposed RDP services. Organizations should immediately review RDP exposure and implement additional access controls.
Technical details
- Attack Vector: RDP scanning via X.224 connection requests with routing cookies
- Volume: 21,190 events over 18-hour period (06:00 - 23:00 UTC)
- Protocols: RDP (port 3389), TCP
- MITRE Technique: T1021.001 (Remote Desktop Protocol)
- Kill Chain Phase: Reconnaissance
- Primary Pattern: X224_request scanning methodology
- IOC: 91.239.248.69 (source IP)
IOCs
IP:91.239.248.69
Recommendations
- Implement network-level blocking of IP 91.239.248.69 across perimeter security controls
- Audit all externally accessible RDP services and disable unnecessary exposures
- Deploy multi-factor authentication on all RDP endpoints that must remain internet-accessible
- Configure rate limiting and connection throttling on RDP services to mitigate automated scanning
- Monitor for follow-on credential brute-force attempts against identified RDP services in the coming 72 hours