This article is more than 1 year old
It's 2022 and there are still thousands of public systems using password-less VNC
Let alone the ones with 123456 to login. How sophisticated do attackers really need to be?
Thousands of machines on the public internet can be remotely controlled via VNC without any authentication, a cybersecurity vendor has reminded us this month.
These boxes, minus any that are honeypot devices, provide an easy, unhindered route into corporate networks, critical infrastructure, and other computer systems, for miscreants, spies, and ransomware slingers, potentially.
Researchers at Cyble said they found more than 8,000 internet-facing VNC endpoints around the world that could be easily accessed without any kind of password.
Indeed, a quick glance at Shodan.io just now revealed more than 640,000 machines exposing VNC services to the planet, though not all of them will be lacking authentication checks. We previously warned of open VNC systems here.
The Cyble team said as well as those thousands of unprotected endpoints it found, it witnessed miscreants and bots scanning the 'net for active services on the default VNC TCP port 5900, detecting about seven surges of such activity between July 9 and August 9. This, we're told, totaled more than six million attempts to detect running VNC services. Most of those scans came from the Netherlands, Russia, and Ukraine, said Cyble.
"A successful cyberattack by any ransomware, data extortion, Advanced Persistent Threat (APT) groups, or other sophisticated cybercriminals is usually preceded by an initial compromise into the victim's enterprise network," the Cyble analysts wrote. "An organization leaving exposed VNCs over the internet broadens the scope for attackers and drastically increases the likelihood of cyber incidents."
Details on how to access valuable systems via VNC – either due to no authentication, or stolen or leaked credentials – are traded on cyber-crime forums. Crooks like to buy these details to easily get into networks and infect them, siphon information, or use them to attack other organizations; sometimes crooks can pay a black-hat hacker to perform this initial entry for them. In any case, open VNC-accessible systems are just what these kinds of criminals are looking for.
Secure, if managed right
VNC is a platform-independent remote desktop system that uses the Remote Frame Buffer (RFB) protocol to do its stuff. It's most useful for connecting into an out-of-reach computer or equipment that needs to be monitored, adjusted, or repaired at a software level. If a VNC endpoint is exposed to the internet and does not require a password for access, unauthorized users – including ransomware operators and other scumbags – can get in and use this as a launching pad for attacks.
"Even though the count of exposed VNCs is low compared to previous years, it should be noted that the exposed VNCs found during the time of analysis belong to various organizations that come under Critical Infrastructures such as water treatment plants, manufacturing plants, research facilities, etc," the Cyble researchers wrote, adding that they "were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc, connected via VNC and exposed over the internet."
- That Pulse Secure VPN you're using to protect your data? Better get it patched – or it's going to be ransomware time
- RDP loves company: Kaspersky finds 37 security holes in VNC remote desktop software
- Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher
- Legacy kit, no antivirus, weak crypto. Yep. They're talking critical industrial networks
They showed as an example a password-less VNC-accessible control panel at an oil-and-gas operation. In a worst case scenario, a miscreant could use this unfettered access to alter the temperature, flow, and pressure in the depicted equipment, which could increase the stress on systems and damage the site. As mentioned, the Shodan search engine lists thousands of exposed endpoints, some of which require authentication and some don't.
China, Sweden, and America had the most exposed instances, according to Cyble's research. Spain and Brazil rounded out the top-five list.
The US government over the past few years has put a focus on security threats to critical infrastructure and industrial control systems (ICS), including SCADA operations, particularly in the wake of attacks last year on Colonial Pipeline and JBS Foods. Leaving such systems exposed "allows attackers to target a particular component within the environment and start a chain of events by manipulating various processes involved in the targeted facility," the Cyble researchers wrote.
"Attackers can even gain insights into confidential and sensitive intelligence like the Alarm Set points, Device ID, Network details, Control Flow, etc, which can be further utilized to compromise the complete ICS environment."
Enterprises need to safeguard VNC instances with authentication enabled, VPN-level access enforced, and other measures, according to Tim Silverline, veep of security at network automation vendor Gluware. Unprotected remote-desktop services are perfect for ransomware gangs seeking to gain initial access into an organization.
"Many hackers spend lots of time phishing users to compromise computers remotely to gain access to the internal networks of targeted companies," Silverline told The Register. "Exposed VNC instances with authentication disabled allows for hackers to gain control of internal assets without even needing to trick a user into doing anything."
Rick Holland, CISO and vice president of strategy at cybersecurity firm Digital Shadows, told The Register that running a public-facing remote access service with unconfigured authentication is akin to putting up a welcome sign to attackers.
"Sadly, public-facing VNC is no surprise, highlighting the challenges in implementing 'security basics,'" Holland said. "Finding these types of open services is trivial, so any actor, from script kiddies to sophisticated actors, could leverage these misconfigurations to gain initial access to the environment."
Cyble outlined a range steps organizations can take to limit the risk, including ensuring critical IT and operational technology (OT) assets are behind firewalls, thus limiting the exposure of systems to the internet, and following strong password practices as well as keeping stuff patched and up to date.
Rajiv Pimplaskar, CEO of network security specialist Dispersive Holdings, told The Register that "stealth networks" are one way to combat miscreants scanning the internet for vulnerable services to exploit or attack. Pimplaskar said stealth networking "obfuscates source-to-destination relationships as well as sensitive data flows. Such technology can assure full privacy and anonymity of all protected OT assets without adversely impacting their ability to communicate." ®