New research from threat intelligence and cybersecurity firm Cyble ranks attacks against Virtual Network Computing (VNC) — a graphical desktop-sharing system that uses the Remote Frame Buffer (RFB) protocol to remotely control another computer — in critical Infrastructure sectors identified. By analyzing data from Global Sensor Intelligence (CGSI), Cyble researchers found a threefold increase in attacks on port 5900 (the default port for VNC) between July 9th and August 9th, 2022. Most of the attacks originated from the Netherlands, Russia and Ukraine, according to the company, highlighting the risks of exposed VNC in critical infrastructure.
Exposed VNC compromising ICS, assets commonly shared on cybercrime forums
according to a Blog post detailing Cyble’s findings, Organizations that expose VNCs over the internet by not enabling authentication widen the scope for attackers and increase the likelihood of cyber incidents. More than 8,000 exposed VNC instances with disabled authentication were detected. Cyble also found that exposed assets connected via VNCs are often sold, bought, and distributed on cybercrime forums and marketplaces.
“Although the number of exposed VNCs is small compared to previous years, it should be noted that the exposed VNCs found during the analysis belong to different organizations falling under critical infrastructure such as water treatment plants, manufacturing plants, research facilities,” the company added added. Cyble researchers were able to isolate multiple human-machine interface (HMI) systems, supervisory control and data acquisition (SCADA) systems, and workstations that were connected via VNC and exposed over the internet.
An attacker who gains access to a dashboard “can manipulate the operator’s pre-defined settings and change the values for temperature, flow, pressure, etc., increasing the stress on the equipment and causing physical damage to the site and potentially nearby ones operators can lead. ‘ wrote Cyble. Exposed SCADA systems could also be operated by an attacker, who could gain additional insight into confidential and sensitive information that could be further used to compromise the entire ICS environment, it said. “Exposure of systems like this allows attackers to target a specific component within the environment and start a chain of events by manipulating various processes involved in the attacked facility.”
Telecommuting, global hacktivism, initial access brokers who may be behind the increase in attacks
Speaking to CSO, Dhanalakshmi PK Senior Director, Malware and Intelligence Research at Cyble says three factors likely played a key role in the escalation of attacks on VNC. These are remote work, a rise in global hacktivism, and more first access brokers targeting ICS. “Several organizations were unprepared for the sudden shift from an offline work environment to a remote work environment, which led to the exposure of services such as VNC and RDP over the Internet as these services are used to connect to assets remotely,” says you. Technical support teams also relied on these services to remotely troubleshoot workstations installed in various institutes. “Because the shift to remote work was sudden, it led to VNC becoming a global hit.”
Additionally, hacktivist groups are actively scanning, using and claiming attacks on ICS, and due to the volatile events around the world, script kiddies and threat actors are targeting VNC services as they can be seen as low-hanging fruits, adds Dhanalakshmi PK . “Hacktivist groups, politically or religiously motivated, target IT/OT infrastructure within hours of an incident in a specific state or nation, and targeting VNC via brute force attacks can help them get a foothold over a workstation involved in a critical process.”
Additionally, Initial Access Brokers – financially motivated threat actors who gain access to businesses by employing various tactics before targeting ransomware-as-a-service (RaaS) operators, APT groups and other cybercriminals on cybercrime forums sell – sells initial access to targeted infrastructure via various remote applications, including VNC, says Dhanalakshmi PK. “Finally, the rise in attacks on VNC in critical infrastructure sectors shows that attackers are using valid accounts or performing brute force attacks to log in to a service specifically designed to accept remote connections such as Telnet, SSH, and VNC . The attacker can then perform actions as the logged-in user, which can lead to targeted APT or ransomware attacks,” she adds.
Vulnerable VNC an easy target for attackers
Speaking to CSO, John Bambenek, Netenrich’s principal threat hunter, says VNC allows access to a targeted computer and has woefully inadequate tools to protect those computers — even when passwords are used. “The damage that can be caused depends on the organization and user permissions under which VNC is running. In one example, a Department of Health was disclosed, which means private health information is disclosed,” he says.
Tim Silverline, vice president of security at Gluware, agrees. “Remote desktop services like VNC are some of the easiest targets for hackers to identify because they operate on well-known standard ports and there are many tools that can both scan for these services and brutally enforce the passwords of those who find them he says CSO.
Any company running publicly available remote access services with unconfigured authentication is essentially putting up a welcome sign for adversaries, adds Rick Holland, CISO, vice president of strategy at Digital Shadows. “It’s trivial to find these types of open services, so any actor, from script kiddies to seasoned actors, could use these misconfigurations to gain a first taste of the environment.”
One of the challenges in defending critical infrastructure environments is that many defenders assume there is an air gap separating traditional IT networks from ICS networks, Holland says. “Segmented networks don’t always exist, and defenders need real-time visibility into publicly available services. These services require restricted network access with strong authentication enabled, including certificate-based authentication.”
Silverline advises businesses to limit their VNC internet exposure and require multi-factor authentication (MFA) for any remote connection to a network, including via VPN or directly via protocols such as RDP, VNC, or SSH. “This prevents brute force attempts from succeeding and greatly increases a hacker’s difficulty in gaining access to the network.”
Copyright © 2022 IDG Communications, Inc.