Mon | Aug 15, 2022 | 3:47 PM PDT

New research shows there are more than 9,000 exposed Virtual Network Computing (VNC) servers that are being used without authentication, some of which belong to organizations in critical infrastructure. 

VNC is a graphical desktop-sharing system that uses the Remote Frame Buffer (RFB) protocol to remotely control another machine. It relays graphical screen changes while transmitting mouse and keyboard inputs from one machine to another via a network.

Security firm Cyble has noted an increase in cyberattacks targeting the port 5900, the default port for VNC. The company shared this graphic, depicting attacks on port 5900 from July 9 through August 9, 2022:

It also shared the top five countries with exposed VNCs over the internet. The United States is third with 835.

Exposed VNCs and critical infrastructure

Researchers for Cyble show how one individual known as "Spielerkid89" connected to a computer belonging to the Ministry of Health in the Omsk region of Russia. They say that he could remotely access a ministry employee's desktop without a password or authentication. This allowed him to access all the files and information on the computer, including names, IP addresses, financial documents, and more.

Spielerkid89 shared this screenshot of the desktop:

Cyble says that a successful cyberattack, like ransomware or other sophisticated attacks, is typically preceded by an initial compromise to the victim's network, like the example above. Any organization that leaves VNCs exposed to the internet dramatically increases the likelihood of a cyber incident.

The security firm also discussed how some of the exposed VNCs belong to critical infrastructure organizations, such as water treatment plants, manufacturing plants, research facilities, etc.

Researchers were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control and Data Acquisition Systems (SCADA), Workstations, etc., that were connected via VNC and exposed over the internet.

The screenshot below shows an exposed HMI from the Oil and Gas sector:

And this one depicts an exposed HMI for controlling pumps:

Cyble says "an attacker gaining access to the above dashboard can manipulate the predefined settings of the operator and can change the values of temperature, flow, pressure, etc., which might increase the stress on the equipment resulting in physical damage to the site and potentially nearby operators."

The attacker would also have the ability to change the set points, rotations, and pump stations, which could result in loss of operations and ultimately affect the supply chain of the industry.

Garrett Carstens, Director of Intel Collection Management at Intel471, shares his thoughts on the research from Cyble:

"This is an important finding. Threat actors are constantly on the lookout for initial accesses into organizations; whether it’s paid or opportunistic it often doesn't matter, as an initial access will be reviewed, assessed and if viable, used for follow-on attacks.

With respect to critical infrastructure, these accesses can be used for anything from data theft to sabotage to carrying out a ransomware or wiper attack, depending on capabilities and intent of the threat actor.

VNCs can be a critical element of an organization's business strategy; enabling anything from standard remote work to technical support to business continuity during a disaster. However, just like any other internet-facing device, security-based planning should be incorporated into the strategy.

Organizations should constantly strive to review and refine their attack surface. Organizations must remain aware and vigilant in identifying ways threat actors may target their people, processes or systems and proactively take measures to prevent or detect and respond to attacks."

Recommendations for exposed VNCs

Researchers for Cyble provide these eight recommendations for organizations who use VNCs:

  1. Make sure critical assets within the IT/OT environment are behind firewalls.
  2. Limit exposure of VNC over the internet.
  3. Ensure the devices within the ICS environment are patched with the recent updates released by the official vendor.
  4. Follow a strong password policy within the organization.
  5. Make sure proper access controls are placed within the organization.
  6. Logging and monitoring assets can help in finding the anomalies within the network.
  7. Enable all the necessary security measures for VNC.
  8. Cyber security awareness and training programs are necessary for employees operating in an ICS environment.

See the original report from Cyble for additional information.