Cyble Research: Exposed VNC Ports Threaten Critical Infrastructure

New Cyble research highlights the discovery of over 8,000 exposed virtual network computing (VNC) endpoints that allow access to networks without authentication.

VNC is a graphical desktop-sharing system that allows control of another machine remotely. It mirrors graphical screen changes, as well as keyboard and mouse inputs from one machine to another.

Many of the exposed VNCs belonged to industrial control systems that should never be exposed, according to the Cyble research.

The United States, China and Sweden are among the top five countries with exposed VNCs over the internet.

Numerous Critical Infrastructure Organizations at Risk

The exposed VNCs found during the time of analysis belong to various critical infrastructure organizations. Those include water treatment plants, manufacturing plants, research facilities and more.

Researchers narrowed down multiple human machine interface (HMI) systems, supervisory control and data acquisition systems (SCADA) and workstations connected via VNC and exposed over the internet.

“A successful cyberattack by any ransomware, data extortion, advanced persistent threat (APT) groups, or other sophisticated cybercriminals is usually preceded by an initial compromise into the victim’s enterprise network,” Cyble said.

An organization leaving exposed VNCs over the internet broadens the scope for attackers. In addition, it drastically increases the likelihood of cyber incidents.

The Cyble research found buying, selling and distributing exposed assets connected via VNCs are frequently on cybercrime forums and markets.

Cybel Research an ‘Important Finding’

Garrett Carstens, director of intel collection management at Intel 471, said this is an important finding.

Intel 471’s Garrett Carstens

“Threat actors are constantly on the lookout for initial accesses into organizations,” he said. “Whether it’s paid or opportunistic, it often doesn’t matter, as an initial access will be reviewed, assessed and if viable, used for follow-on attacks.”

Cybercriminals can use these accesses for anything from data theft to sabotage, Carstens said. They also can carry out a ransomware or wiper attack, depending on capabilities and intent.

VNCs can be a critical element of an organization’s business strategy, Carstens said. They’ll enable anything from standard remote work to technical support, to business continuity during a disaster.

“Organizations should constantly strive to review and refine their attack surface,” he said.

Businesses must remain aware and vigilant in identifying ways threat actors may target their people, processes or systems, Carstens said. Moreover, they must proactively take measures to prevent, or detect and respond to attacks.

‘Enormous Deal’ for Companies

Tim Silverline is vice president of security at Gluware. He said the Cyble research is an “enormous deal” for the companies with exposed instances that have disabled authentication.

Gluware’s Tim Silverline

“It is never advisable to expose remote desktop protocols (RDPs) directly to the internet without protecting them by VPN,” he said. “This is one of the primary methods that ransomware gangs use to gain access and compromise networks to extort ransom. In this case, not only are they exposing a remote desktop service to the internet. They have disabled even the need to know a password in order to connect.”

Anyone Can Have Access

The dangers in leaving these systems exposed without authentication is allowing anyone on the internet direct access to the internal networks of the companies, and potentially with the permissions to cause immediate harm by deploying ransomware or disrupting company operations, Silverline said.

“They talk about critical infrastructure because several of the assets which were scanned and found to be open during this exercise were in critical infrastructure companies with access to things like oil and gas lines, and water pumps,” he said. “Being able to remotely change these settings could have devastating and potentially life-impacting consequences. Many people have heard about the attempt to poison the water supply in Oldsmar, Florida, in 2021. Leaving systems with these kinds of capabilities open for anyone to connect to dramatically increases the likelihood for similar attempts in the future.”

A successful attack that brought down enough energy generation could cause a catastrophic cascading series of failures, Silverline said. That could result in disruption of the grid in a very wide region for a long time.

Appealing Soft Targets

Rajiv Pimplaskar is CEO of Dispersive Holdings.

Dispersive’s Rajiv Pimplaskar

“As the Cyble report illustrates, critical infrastructure industries that utilize ICS SCADA systems and IoT devices can present appealing soft targets, especially with exposed VNC,” he said. ” A key strategy for avoidance is using stealth networking, which obfuscates source to destination relationships, as well as sensitive data flows. Such technology can assure full privacy and anonymity of all protected OT assets without adversely impacting their ability to communicate. This makes it virtually impossible for a threat actor to detect or target such systems even with exposed VNC and other vulnerabilities adding defense in depth to the infrastructure.”