New research from threat intelligence and cybersecurity company Cyble has identified a peak in attacks targeting virtual network computing (VNC) – a graphical desktop-sharing system that uses the Remote Frame Buffer (RFB) protocol to control another machine remotely – in critical infrastructure sectors. By analyzing the data from its Global Sensor Intelligence (CGSI), Cyble researchers noticed a spike in attacks on port 5900 (the default port for VNC) between July 9 and August 9, 2022. Most attacks originated from the Netherlands, Russia, and Ukraine, according to the firm, and highlight the risks of exposed VNC in critical infrastructure.
Exposed VNC putting ICS at risk, assets frequently distributed on cybercrime forums
According to a blog posting detailing Cyble’s findings, organizations that expose VNCs over the internet by failing to enable authentication broaden the scope for attackers and increase the likelihood of cyber incidents. It detected more than 8,000 exposed VNC instances with authentication disabled. Cyble also found that exposed assets connected via VNCs are frequently sold, bought, and distributed on cybercrime forums and market.
“Even though the count of exposed VNCs is low compared to previous years, it should be noted that the exposed VNCs found during the time of analysis belong to various organizations that come under critical infrastructures such as water treatment plants, manufacturing plants, research facilities,” the firm added. Cyble researchers were able to narrow down multiple human machine interface (HMI) systems, Supervisory Control and Data Acquisition Systems (SCADA), and workstations, connected via VNC and exposed over the internet.
An attacker gaining access a dashboard “can manipulate the predefined settings of the operator and can change the values of temperature, flow, pressure, etc., which might increase the stress on the equipment resulting in physical damage to the site and potentially nearby operators,” Cyble wrote. Exposed SCADA systems could also be operated by an attacker, who could additionally gain insights into confidential and sensitive intelligence which can be further used to compromise the complete ICS environment, it continued. “Exposing systems like this allows attackers to target a particular component within the environment and start a chain of events by manipulating various processes involved in the targeted facility.”
Vulnerable VNC an easy target for attackers
Speaking to CSO, John Bambenek, principal threat hunter at Netenrich, says that VNC allows for access to a target machine and has woefully insufficient tools to protect those machines – even when passwords are used. “The harms that can be caused depend on the organization and user permissions that VNC is running under. In one example, a ministry of health system was exposed, which means private health information is exposed,” he says.
Tim Silverline, vice president of security at Gluware, concurs. “Remote desktop services such as VNC are some of the easiest targets for hackers to identify because they operate on well-known default ports and there are many tools out there to both scan for these services and brute-force the passwords of the ones they find,” he tells CSO.
Any organization that runs remote access services that are public facing with unconfigured authentication are essentially putting up the welcome sign for adversaries, adds Rick Holland, CISO, vice president strategy at Digital Shadows. “Finding these types of open services is trivial, so any actor, from script kiddies to sophisticated actors, could leverage these misconfigurations to gain initial access to the environment.”
One of the challenges with defending critical infrastructure environments is that many defenders assume that there is an air gap separating traditional IT networks from ICS networks, Holland says. “Segmented networks aren’t always in place, and defenders must have real-time visibility into public-facing services. These services must have network access restricted with strong authentication enabled, including certificate-based authentication.”
Silverline advises business to limit their VNC internet exposure and to mandate multi-factor authentication (MFA) for any remote connectivity into a network, including through VPN or directly through protocols like RDP, VNC, or SSH. “This prevents brute-force attempts from succeeding and substantially increases the difficulty of a hacker to gain access to the network.”
Copyright © 2022 IDG Communications, Inc.
