Exposed VNC instances threatens critical infrastructure as attacks spike

New research from threat intelligence and cybersecurity company Cyble has identified a peak in attacks targeting virtual network computing (VNC) – a graphical desktop-sharing system that uses the Remote Frame Buffer (RFB) protocol to control another machine remotely – in critical infrastructure sectors. By analyzing the data from its Global Sensor Intelligence (CGSI), Cyble researchers noticed a threefold spike in attacks on port 5900 (the default port for VNC) between July 9 and August 9, 2022. Most attacks originated from the Netherlands, Russia, and Ukraine, according to the firm, and highlight the risks of exposed VNC in critical infrastructure.

Exposed VNC putting ICS at risk, assets frequently distributed on cybercrime forums

According to a blog posting detailing Cyble’s findings, organizations that expose VNCs over the internet by failing to enable authentication broaden the scope for attackers and increase the likelihood of cyber incidents. It detected more than 8,000 exposed VNC instances with authentication disabled. Cyble also found that exposed assets connected via VNCs are frequently sold, bought, and distributed on cybercrime forums and market.

“Even though the count of exposed VNCs is low compared to previous years, it should be noted that the exposed VNCs found during the time of analysis belong to various organizations that come under critical infrastructures such as water treatment plants, manufacturing plants, research facilities,” the firm added. Cyble researchers were able to narrow down multiple human machine interface (HMI) systems, Supervisory Control and Data Acquisition Systems (SCADA), and workstations, connected via VNC and exposed over the internet.

An attacker gaining access a dashboard “can manipulate the predefined settings of the operator and can change the values of temperature, flow, pressure, etc., which might increase the stress on the equipment resulting in physical damage to the site and potentially nearby operators,” Cyble wrote. Exposed SCADA systems could also be operated by an attacker, who could additionally gain insights into confidential and sensitive intelligence which can be further used to compromise the complete ICS environment, it continued. “Exposing systems like this allows attackers to target a particular component within the environment and start a chain of events by manipulating various processes involved in the targeted facility.”

Remote working, global hacktivism, initial access brokers possibly behind spike in attacks

Speaking to CSO, Dhanalakshmi PK senior director, malware and intelligence research at Cyble, says that three factors are believed to have played a key role in the increased attacks on VNC. These are remote working, a rise in global hacktivism, and more initial access brokers targeting ICS. “Multiple organizations were not prepared for the sudden shift from an offline work environment to remote working environment which resulted in exposure of services like VNC and RDP over the internet as these services are used for connecting with assets remotely,” she says. Technical supporting teams also relied on these services to remotely troubleshoot the workstations installed in various institutes. “As the shift to remote work was sudden, this led to the exposure of VNC globally.”

Furthermore, hacktivist groups are actively scanning, exploiting, and claiming attacks on ICS, and due to the volatile events happening around the globe, script kiddies and threat actors are targeting VNC services as they can be considere low-hanging fruits, Dhanalakshmi PK adds. “Hacktivist groups that are politically or religiously motivated are targeting IT/OT infrastructure within a few hours of an incident in a particular state or nation and targeting VNC via brute force attacks can fetch them a foothold over a workstation involved in a critical process.”

What’s more, initial access brokers – financially motivated threat actors that obtain access to enterprises by leveraging various tactics before selling to ransomware-as-a-service (RaaS) operators, APT groups, and other cybercriminals on cybercrime forums – have been selling initial access to targeted infrastructure via various remote applications including VNC, Dhanalakshmi PK says. “Ultimately, the spike in attacks targeting VNC in critical infrastructure sectors shows that adversaries are using valid accounts or performing brute force attacks to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user, which might lead to targeted APT or ransomware attacks,” she adds.

Vulnerable VNC an easy target for attackers

Speaking to CSO, John Bambenek, principal threat hunter at Netenrich, says that VNC allows for access to a target machine and has woefully insufficient tools to protect those machines – even when passwords are used. “The harms that can be caused depend on the organization and user permissions that VNC is running under. In one example, a ministry of health system was exposed, which means private health information is exposed,” he says.

Tim Silverline, vice president of security at Gluware, concurs. “Remote desktop services such as VNC are some of the easiest targets for hackers to identify because they operate on well-known default ports and there are many tools out there to both scan for these services and brute-force the passwords of the ones they find,” he tells CSO.

Any organization that runs remote access services that are public facing with unconfigured authentication are essentially putting up the welcome sign for adversaries, adds Rick Holland, CISO, vice president strategy at Digital Shadows. “Finding these types of open services is trivial, so any actor, from script kiddies to sophisticated actors, could leverage these misconfigurations to gain initial access to the environment.”

One of the challenges with defending critical infrastructure environments is that many defenders assume that there is an air gap separating traditional IT networks from ICS networks, Holland says. “Segmented networks aren’t always in place, and defenders must have real-time visibility into public-facing services. These services must have network access restricted with strong authentication enabled, including certificate-based authentication.”

Silverline advises business to limit their VNC internet exposure and to mandate multi-factor authentication (MFA) for any remote connectivity into a network, including through VPN or directly through protocols like RDP, VNC, or SSH. “This prevents brute-force attempts from succeeding and substantially increases the difficulty of a hacker to gain access to the network.”