As many as 250,000 credentials for Remote Desktop Protocol servers may have been offered for sale on the now-shuttered xDedic cybercrime marketplace. Security experts advise information security professionals to take several important steps that go far beyond simply changing credentials. The attackers will move laterally off the compromised system extremely quickly and try to establish multiple command-and-control channels as they know they will likely lose the initial access. They also may try to sniff out other credentials that will enable them to return via a legitimate channel.”]
Source: https://www.cuinfosecurity.com/xdedic-what-to-do-if-your-rdp-server-was-pwned-a-9228