Cyble Global Sensor Intelligence observes an increase in attempts to exploit VNC

Virtual Network Computing (VNC) is a graphical desktop-sharing system that uses the Remote Frame Buffer (RFB) protocol to control another machine remotely. It relays graphical screen changes while transmitting keyboard and mouse inputs from one machine to another via a network.

While the demerits of exposing VNC over the internet have been previously discussed, there are still over 8000 exposed VNC instances with authentication disabled, as shown below.

As shown below, China, Sweden, and the United States are among the top 5 countries with exposed VNCs over the internet.

By analyzing the data from Cyble Global Sensor Intelligence (CGSI), Cyble researchers noticed a peak in attacks on port 5900, which is the default port for VNC, as shown below.

The majority of attacks originated from the Netherlands, Russia, and Ukraine, as shown in the figure below.

Related Observations

An individual who goes by the alias “Spielerkid89” is connected to a computer belonging to the Ministry of Health in the Omskregion of Russia. To remotely access a ministry employee’s desktop, the hacker didn’t need any password or authentication – they could access all the files and information on that computer via an open VNC port, as shown in Figure 5.

“I was able to access people’s names, other IP addresses pointing to other computers on the network, and financial documents, too,” he said.

A successful cyberattack by any ransomware, data extortion, Advanced Persistent Threat (APT) groups, or other sophisticated cybercriminals is usually preceded by an initial compromise into the victim’s enterprise network. An organization leaving exposed VNCs over the internet broadens the scope for attackers and drastically increases the likelihood of cyber incidents.

Our investigation found that selling, buying, and distributing exposed assets connected via VNCs are frequently on cybercrime forums and markets. A few examples of the same can be seen in the figures below.

Exposure

Even though the count of exposed VNCs is low compared to previous years, it should be noted that the exposed VNCs found during the time of analysis belong to various organizations that come under Critical Infrastructures such as water treatment plants, manufacturing plants, research facilities, etc.

During the course of the investigation, researchers were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet.

Below we have included a few screenshots from the organizations dealing with Critical Infrastructures and performing tasks with critical appliances.

An attacker gaining access to the above dashboard can manipulate the predefined settings of the operator and can change the values of temperature, flow, pressure, etc., which might increase the stress on the equipment resulting in physical damage to the site and potentially nearby operators.

                                                    

Malicious hackers can utilize online search engines to narrow down victim organizations with exposed VNCs, as shown above. They can also abruptly change the Set Points, Rotations, and Pump stations, resulting in loss of operations. This can even result in disruption of the supply chain and the processes connected with the affected industries.

Cyble researchers also found SCADA systems that are exposed and can be operated by an attacker due to exposed VNCs.

Exposing systems like this allows attackers to target a particular component within the environment and start a chain of events by manipulating various processes involved in the targeted facility.

Attackers can even gain insights into confidential and sensitive intelligence like the Alarm Set points, Device ID, Network details, Control Flow, etc., which can be further utilized to compromise the complete ICS environment.

An attacker gaining access to the above panel can change the direction, setpoints, and flow of processes involving heavy machinery, which can harm organizations’ production and sales, resulting in a financial and reputational loss.

Conclusion

Remotely accessing the IT/OT infrastructure assets is pretty handy and has been widely adopted due to the COVID-19 Pandemic and work-from-home policies.

However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss for an organization. Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc.

Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s).

Analysis from CGSI points out that recently port 5900 has been actively scanned and targeted by the attackers, which can also result in ransomware attacks on critical infrastructure in the near future.

Readers should bear in mind that exposed VNCs from critical organizations put the national security, economy, energy, and transportation sectors at high risk of cyberattacks. It is advised that organizations using VNC and similar products should ensure that their ports and services are not exposed online and are appropriately secured.

Recommendations

1. Make sure critical assets within the IT/OT environment are behind firewalls.
2. Limit exposure of VNC over the internet.
3. Ensure the devices within the ICS environment are patched with the recent updates released by the official vendor.
4. Follow a strong password policy within the organization.
5. Make sure proper access controls are placed within the organization.
6. Logging and monitoring assets can help in finding the anomalies within the network.
7. Enable all the necessary security measures for VNC.
8. Cyber security awareness and training programs are necessary for employees operating in an ICS environment.