Critical Infrastructure at Risk as Thousands of VNC Instances Exposed

  • Security researchers have warned that countless global organizations might be at risk of remote compromise after discovering more than 8000 exposed Virtual Network Computing (VNC) instances.

    A team at security vendor Cyble said it found the instances were managed by critical infrastructure (CNI) organizations such as water treatment plants, manufacturing plants and research facilities.

    VNC is a cross-platform screen-sharing system which allows users to remotely control another computer. However, with authentication disabled as per the 8000 VNC instances discovered by Cyble, malicious actors could potentially hijack these endpoints and the industrial control systems they’re often connected to.

    “During the course of the investigation, researchers were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control and Data Acquisition (SCADA) systems, workstations, etc., connected via VNC and exposed over the internet,” the firm said.

    “Malicious hackers can utilize online search engines to narrow down victim organizations with exposed VNCs. They can also abruptly change the set points, rotations, and pump stations, resulting in loss of operations. This can even result in disruption of the supply chain and the processes connected with the affected industries.”

    APT actors could exploit the exposed VNC deployments not only for sabotage and reconnaissance but also data theft/extortion and ransomware, Cyble warned.

    It claimed to have spotted surges in attacks on Port 5900, the default for VNC, between July 9 and August 9 this year, most of which originated from the Netherlands, Russia and Ukraine.

    The countries with most exposed VNC instances were China (1555), Sweden (1506), the US (835), Spain (555) and Brazil (529).

    “Remotely accessing the IT/OT infrastructure assets is pretty handy and has been widely adopted due to the COVID-19 pandemic and work-from-home policies. However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss,” Cyble concluded.

    “Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc. Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s).”

    Cyble recommended firms running VNC to improve security awareness training, ensure proper access policies and firewalls are in place, and make sure devices are patched and continuously monitored.