Cyble observes increase in attempts to exploit VNC enabling hackers to target critical infrastructure sectors

Researchers at the Cyble Global Sensor Intelligence team have detected an increase in attempts to exploit VNC (Virtual Network Computing). The data comes as about 9,000 exposed VNCs can be accessed and used without authentication, sometimes with authentication disabled, providing hackers with easy access to internal networks across critical infrastructure installations.

“By analyzing the data from Cyble Global Sensor Intelligence (CGSI), Cyble researchers noticed a peak in attacks on port 5900, which is the default port for VNC,” the Cyble team wrote in a recent blog post. “China, Sweden, and the United States are among the top 5 countries with exposed VNCs over the internet. The majority of attacks originated from the Netherlands, Russia, and Ukraine,” the post added.

The Cyble team said that even though the count of exposed VNCs is low compared to previous years, it should be noted that the exposed VNCs found during the time of analysis belong to various organizations that come under critical infrastructures, such as water treatment plants, manufacturing plants, research facilities, etc. During the course of the investigation, researchers were able to narrow down multiple human machine interface (HMI) systems, supervisory control and data acquisition (SCADA) systems, workstations, etc., connected via VNC and exposed over the internet, they added.

Researchers revealed that an attacker can manipulate the predefined settings of the operator and can change the values of temperature, flow, pressure, etc., which might increase the stress on the equipment resulting in physical damage to the site and potentially nearby operators. “Malicious hackers can utilize online search engines to narrow down victim organizations with exposed VNCs. They can also abruptly change the Set Points, Rotations, and Pump stations, resulting in loss of operations. This can even result in disruption of the supply chain and the processes connected with the affected industries,” they added.

VNC is a graphical desktop-sharing system that uses the Remote Frame Buffer (RFB) protocol to control another machine remotely. It relays graphical screen changes while transmitting keyboard and mouse inputs from one machine to another through a network.

The Cyble team said that an individual who goes by the alias ‘Spielerkid89’ is connected to a computer belonging to the Ministry of Health in the Omskregion of Russia. “To remotely access a ministry employee’s desktop, the hacker didn’t need any password or authentication – they could access all the files and information on that computer via an open VNC port,” they added. 

The researchers said that the hacker wrote ‘I was able to access people’s names, other IP addresses pointing to other computers on the network, and financial documents, too,’ Furthermore, a successful cyberattack by any ransomware, data extortion, advanced persistent threat (APT) groups, or other sophisticated cybercriminals is usually preceded by an initial compromise into the victim’s enterprise network. An organization leaving exposed VNCs over the internet broadens the scope for attackers and drastically increases the likelihood of cyber incidents, the team added. 

Cyble researchers also found SCADA systems that are exposed and can be operated by an attacker due to exposed VNCs. “Exposing systems like this allows attackers to target a particular component within the environment and start a chain of events by manipulating various processes involved in the targeted facility,” they added.

Attackers can even gain insights into confidential and sensitive intelligence like the alarm set points, device ID, network details, control flow, etc., which can be further utilized to compromise the complete industrial control system (ICS) environment, the team said. “An attacker gaining access to the above panel can change the direction, setpoints, and flow of processes involving heavy machinery, which can harm organizations’ production and sales, resulting in a financial and reputational loss,” they added.

Cyber researchers said that remotely accessing the IT/OT infrastructure assets is pretty handy and has been widely adopted due to the COVID-19 pandemic and work-from-home policies. However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss for an organization. Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc.

“Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s),” the researchers said.

Analysis from CGSI points out that recently port 5900 has been actively scanned and targeted by the attackers, which can also result in ransomware attacks on critical infrastructure in the near future. The post added that exposed VNCs from critical organizations put the national security, economy, energy, and transportation sectors at high risk of cyberattacks. It is advised that organizations using VNC and similar products should ensure that their ports and services are not exposed online and are appropriately secured.

Cyble called upon the critical infrastructure sector to make sure critical assets within the IT/OT environment are behind firewalls, limiting exposure of VNC over the internet, and ensuring that the devices within the ICS environment are patched with the recent updates released by the official vendor. 

It also suggested a strong password policy within the organization, bringing about proper access controls placed within the organization, while logging and monitoring assets can help in finding the anomalies within the network. Additionally, organizations must enable all the necessary security measures for VNC, and carry out cybersecurity awareness and training programs necessary for employees operating in an ICS environment.

In April, U.S. security agencies and the Department of Energy (DOE) warned in a joint Cybersecurity Advisory (CSA) that specific APT hackers have exhibited the capability to gain full system access to multiple ICS/SCADA devices.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.