According to Cyble Global Sensor Intelligence (CGSI) researchers, threat actors can access over 9,000 VNC servers exposed online without authorization.
Virtual Network Computing (VNC) is a platform-independent technology that allows users to control a remote computer via the Remote Frame Buffer (RFB) protocol. Users can send mouse and keyboard commands to remote devices through the platform independent systems.
A surge in attacks on port 5900, the default port for VNC, prompted Cyble researchers to discover this exposed Internet-connected exposed VNC instances.
Threat actors accessed files through exposed VNC servers without authentication
Most exposed VNC servers were in China and Sweden, while the United States, Spain, and Brazil also had many exposed instances. However, most of the attacks came from the Netherlands, Russia, Ukraine, Poland and the United States.
Cyble researchers identified live access to unsecured VNC servers. They connected an actor identified as “Spielerkid89” to a computer at the Ministry of Health in the Omsk region of the Russian Federation. Surprisingly, the user was able to access the computer’s desktop and files via an open VNC connection without a password.
He also admitted that he was able to access the names, financial documents and IP addresses of people on the internal network.
Although VNC servers are not inherently insecure if properly secured with strong passwords, they could be entry points for unauthorized users to gain access to internal networks.
Ransomware groups and advanced persistent threat actors are interested in using exposed VNC servers as initial access vectors for cyberattacks.
Researchers then discovered selling exposed VNC servers alongside VPNs and RDPs on dark web hacking forums.
“When you’re running a publicly-facing remote access service with unconfigured authentication, you’re essentially putting up the ‘welcome sign’ for attackers,” said Rick Holland, chief information security officer, vice president of strategy at Digital Shadows.
“VNC is no different from RDP and the other widely used remote access services that threat actors are targeting. Unfortunately, public-facing VNC comes as no surprise as it highlights the challenges of implementing “security basics”.
Holland added that detecting exposed VNC servers is trivial even for script kiddies without exceptional skills, thereby widening the attack surface.
“This is a huge deal for companies with exposed entities that have authentication disabled,” said Tim Silverline, Gluware’s vice president of security. “VNC is a Remote Desktop (RDP) protocol that allows full control over the asset it is installed on, as if a user were physically sitting at the computer in question.”
Unsecured VNC servers exposed organizations with critical infrastructure
Cyble researchers discovered that some exposed VNCs could access critical systems, including industrial control systems (ICS).
“During the investigation, researchers were able to isolate multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), workstations, etc. that were connected via VNC and exposed over the Internet,” noted Cyble researchers.
They came across an exposed HMI dashboard for a pump system that hackers could access without authentication. Attackers could access the industrial control system dashboards and manipulate various parameters such as temperature, pressure, and rotation, causing physical damage to industrial sites. This possibility is a perfect scenario for sophisticated nation-state actors in the cyber warfare era.
According to Holland, nation-state actors have the option to turn initial VNC access into something more nefarious. Likewise, they could access sensitive information such as device IDs and network information for later attacks on ICS environments.
“In terms of critical infrastructure, these accesses can be used for anything from data theft to sabotage to performing a ransomware or wiper attack, depending on the attacker’s skill and intent,” said Garrett Carstens, director of Intel Collection Management at Intel 471.
According to Cyble, VNC servers exposed online posed a significant cyber threat to national security, business, energy and transportation sectors.
“As the Cyble report demonstrates, critical infrastructure industries using ICS SCADA systems and IoT devices can represent attractive soft targets, especially with exposed VNCs,” said Rajiv Pimplaskar, CEO of free float. “A key avoidance strategy is to use stealth networks that obfuscate source-destination relationships and sensitive data flows.”