Security researchers have warned that countless global organizations might be at risk of remote compromise after discovering more than 8000 exposed Virtual Network Computing (VNC) instances. Virtual networking enables communication between multiple computers, virtual machines (VMs), virtual servers, or other devices across different office and data center locations. While physical networking connects computers through cabling and other hardware, virtual networking extends these capabilities by using software management to connect computers and servers over the Internet. It uses virtualized versions of traditional network tools, like switches and network adapters, allowing for more efficient routing and easier network configuration changes.
Virtual networking enables devices across many locations to function with the same capabilities as a traditional physical network. This allows for data centers to stretch across different physical locations, and gives network administrators new and more efficient options, like the ability to easily modify the network as needs change, without having to switch out or buy more hardware; greater flexibility in provisioning the network to specific needs and applications; and the capacity to move workloads across the network infrastructure without compromising service, security, and availability.
VNC is a cross-platform screen-sharing system which allows users to remotely control another computer. However, with authentication disabled as per the 8000 VNC instances discovered by researchers, malicious actors could potentially hijack these endpoints and the industrial control systems they’re often connected to. During the course of the investigation, researchers were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control and Data Acquisition (SCADA) systems, workstations, etc., connected via VNC and exposed over the internet.
Malicious hackers can utilize online search engines to narrow down victim organizations with exposed VNCs. They can also abruptly change the set points, rotations, and pump stations, resulting in loss of operations. This can even result in disruption of the supply chain and the processes connected with the affected industries.
APT actors could exploit the exposed VNC deployments not only for sabotage and reconnaissance but also data theft/extortion and ransomware, the researchers warned. They claimed to have spotted surges in attacks on Port 5900, the default for VNC, between 09 July 2022 and 09 August 2022, most of which originated from the Netherlands, Russia and Ukraine. The countries with most exposed VNC instances were China (1555), Sweden (1506), the US (835), Spain (555) and Brazil (529).
Remotely accessing the IT/OT infrastructure assets is efficient and has been widely adopted due to the COVID-19 pandemic and work-from-home policies. However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss.
Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc. Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s).
Investigators recommended firms running VNC to improve security awareness training, ensure proper access policies and firewalls are in place, and make sure devices are patched and continuously monitored.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Article: TR-22-241-001.pdf
https://www.infosecurity-magazine.com/news/critical-infrastructure-vnc/
Comments