March 2, 2024
Critical infrastructure, not just private computing, is at risk.

A software tool designed to allow legitimate remote access to computer desktops has vulnerabilities that leave critical infrastructure operators open to cyberattacks, according to a cybersecurity company.

The virtual network computing tool, designed to allow remote desktop sharing, is often used in tech help-desk situations or when a computer user is traveling or wants to access a second computer in the house. However, cybersecurity firm Cyble has found more than 8,000 instances of VNC not being protected by user authentication, including many exposed installations in the United States, Western Europe, and China.

Cyble found more than 1,500 exposed installations in China and in Sweden and more than 800 in the U.S., with more than 6 million hacking attempts on networking port 5900, the default port for VNC, between July 9 and Aug. 9.

In several cases, the attacks targeted organizations operating critical infrastructure, and in one case, a hacker was able to gain access to the Ministry of Health in Russia, the company said. On some hacking forms, members are selling data obtained through exposed VNC ports, it added.

“A successful cyberattack by any ransomware, data extortion, advanced persistent threat groups, or other sophisticated cybercriminals is usually preceded by an initial compromise into the victim’s enterprise network,” Cyble’s researchers said. “An organization leaving exposed VNCs over the internet broadens the scope for attackers and drastically increases the likelihood of cyber incidents.”

While VNC-based attacks aren’t new, it’s important to point out the potential effects on critical infrastructure and other organizations, cybersecurity experts said.

Hackers could use VNC attacks on critical infrastructure operators for data theft, sabotage, ransomware schemes, or to wipe data, said Garrett Carstens, the director of Intel collection management at Intel 471, a cybersecurity provider.

“Threat actors are constantly on the lookout for initial accesses into organizations,” Carstens told the Washington Examiner. “An initial access will be reviewed, assessed, and, if viable, used for follow-on attacks.”

VNC attacks should be well-known on traditional IT networks, but organizations running so-called operational technology systems, including industrial control systems connected to manufacturing equipment, power plants, pipelines, and other critical infrastructure, may be less familiar, added Chris Clymer, the director and chief information security officer at Inversion6, a cybersecurity risk management firm.

Many of these control systems have been connected to the broader internet in recent years, as organizations began to embrace the Internet of Things to control and monitor infrastructure remotely.

With these industrial control systems opening up to broader access, they have “taken these lurking issues like VNC and placed them out there to be taken advantage of,” Clymer said. “The entire OT space is far, far behind when it comes to security, and only a few organizations are starting to invest and focus on security here.”

In recent years, “antiquated” industrial control systems have been connected to the internet, added Bill Moore, the founder and CEO of XONA, an OT security provider.

“This is a growing problem as well because unless these systems have been audited, they may not be aware they are even running a VNC service,” he told the Washington Examiner. The recent convergence of IT and OT systems “has increased vulnerabilities and made OT systems, many of which were never intended to be connected to the internet, a more available and attractive target for threat actors.”

VNC has been a longtime favorite target of hackers because it can give them full system access and often is protected with weak or no authentication, Clymer told the Washington Examiner. Penetration testers frequently target VNC when looking for holes in a company’s networks, he added.

“Every time I’ve seen a tester find VNC available on a network, they are immediately doing the happy dance,” he said. “They have a plethora of attacks to use and almost always find a way into a system running VNC.”

Leave a Reply