VNC instances exposed to Internet pose critical infrastructures at risk

Researchers from threat intelligence firm Cyble reported a surge in attacks targeting virtual network computing (VNC).

Virtual Network Computing (VNC) is a graphical desktop-sharing system that leverages the Remote Frame Buffer (RFB) protocol to control another machine remotely. It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network.

Researchers from Cyber looked for VNC exposed over the internet and discovered over 8000 VNC instances with authentication disabled, most of them in China, Sweden, and the United States.

Cyble observed a surge in attacks on the default port for VNC, port 5900, most of them originated from the Netherlands, Russia, and Ukraine. Exposing VNCs to the internet, increases the likelihood of a cyberattack.

Threat actors could use the access through VNC to carry out a broad range of malicious activities, such as deploying ransomware, malware, or spy on the victims.

The researchers discovered multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet

Cyble also reported that threat actors are selling access to systems exposed on the Internet via VNC on cybercrime forums.

“Our investigation found that selling, buying, and distributing exposed assets connected via VNCs are frequently on cybercrime forums and markets. A few examples of the same can be seen in the figures below.” Cyble states.

The experts pointed out that even if the count of exposed VNCs is low compared to previous years, some of the exposed VNCs belong to various organizations in the Critical Infrastructures sector such as water treatment plants, manufacturing plants, research facilities, etc.

“Remotely accessing the IT/OT infrastructure assets is pretty handy and has been widely adopted due to the COVID-19 Pandemic and work-from-home policies. However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss for an organization. Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc.” Cyble concludes. “Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s).”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VNC)

[adrotate banner=”5″]

[adrotate banner=”13″]