Threat actors can access over 9,000 VNC servers exposed online without authorization, according to researchers at Cyble Global Sensor Intelligence (CGSI).
Virtual Network Computing (VNC) is a platform-independent technology that allows users to control a remote computer via the Remote Frame Buffer (RFB) protocol. Users can send mouse and keyboard commands to remote devices via the platform-independent systems.
An uptick in attacks on port 5900, the default port for VNC, prompted Cyble researchers to discover the exposed internet-facing exposed VNC instances.
Threat actors accessed files without authentication via exposed VNC servers
Most exposed VNC servers were in China and Sweden, while the United States, Spain, and Brazil also had many exposed instances. However, most attacks originated from the Netherlands, Russia, Ukraine, Poland, and the United States.
Cyble researchers identified live access to unsecured VNC servers. They linked an actor identified as “Spielerkid89” to a computer at the Ministry of Health in the Omsk region of the Russian Federation. Surprisingly, the user could access the computer’s desktop and files via an open VNC connection without a password.
He also admitted that he could access people’s names, financial documents, and IP addresses on the internal network.
Although VNC servers are not inherently insecure when adequately secured with strong passwords, they could be entry points for unauthorized users to gain access to internal networks.
Ransomware groups and sophisticated advanced persistent threat actors are interested in leveraging exposed VNC servers as initial access vectors for cyber attacks.
Subsequently, the researchers discovered the sale of exposed VNC servers alongside VPNs and RDPs on dark web hacking forums.
“If you run any remote access service that is public facing with unconfigured authentication, you are essentially putting up the “welcome sign” for adversaries,” said Rick Holland, Chief Information Security Officer, Vice President of Strategy at Digital Shadows.
“VNC is not different that RDP and the other widespread remote access services threat actors target. Sadly, public-facing VNC is no surprise, highlighting the challenges in implementing “security basics.”
Holland added that discovering exposed VNC servers was trivial, even for script kiddies without exceptional skills, thus widening the attack surface.
“This is an enormous deal for the companies with exposed instances that have disabled authentication,” said Tim Silverline, Vice President of Security at Gluware. “VNC is a Remote Desktop (RDP) protocol that allows for complete control of the asset it is installed on as if a user were physically sitting at the computer in question.”
Unsecured VNC servers exposed critical infrastructure organizations
Cyble researchers discovered that some exposed VNCs could access critical systems, including industrial control systems (ICS).
“During the course of the investigation, researchers were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet,” noted Cyble researchers.
They encountered an exposed HMI dashboard for a pump system that hackers could access without authentication. Attackers could access the industrial control system dashboards and manipulate various parameters such as temperature, pressure, and rotation, causing physical damage to industrial sites. This possibility is a perfect scenario for sophisticated nation-state actors in the cyber warfare era.
According to Holland, nation-state actors have the capabilities to pivot initial VNC access into something more nefarious. Similarly, they could access sensitive information such as device IDs and network information for subsequent attacks on ICS environments.
“With respect to critical infrastructure, these accesses can be used for anything from data theft to sabotage to carrying out a ransomware or wiper attack, depending on capabilities and intent of the threat actor,” said Garrett Carstens, Director of Intel Collection Management at Intel 471.
According to Cyble, VNC servers exposed online posed a significant cyber threat to the national security, economy, energy, and transportation sectors.
“As the Cyble report illustrates, critical infrastructure industries that utilize ICS SCADA systems and IoT devices can present appealing soft targets, especially with exposed VNCs,” said Rajiv Pimplaskar, CEO of Dispersive Holdings. “A key strategy for avoidance is using stealth networking which obfuscates source to destination relationships as well as sensitive data flows.”