- Cyble’s investigation showed that there are more than 8,000 VNC instances that don’t require authentication for visitors.
- Attackers are also aware of this situation and mainly targeting port 5900, the default port for VNCs to be able to breach into the system.
- Cyble stated that most of the attacks are coming from the Netherlands, Russia, and Ukraine and China, Sweden, and the United States are among the top 5 countries with exposed VNCs.
Virtual Network Computing is a platform-independent graphical desktop-sharing system using the Remote Frame Buffer protocol for controlling remote devices. Researchers at Cyble stated that there are currently more than 8,000 exposed VNC instances without authentication. Some of the top 5 countries with exposed VNCs online are China, Sweden, and the United States.
Port 5900
Cyble stated that according to the data gathered by Cyble Global Sensor Intelligence, there is a peak in attacks targeting port 5900, which is the default port for VNCs. Most of the attacks are coming from the Netherlands, Russia, and Ukraine.
Leaving exposed VNCs over the internet increases the attack surface of an organization, which may allow attackers to cause serious troubles. Cyble’s research also unveiled that users of cybercrime forums and markets are selling, buying, and distributing exposed assets connected via VNCs. Attackers can also use search engines to pinpoint the victim’s organization with exposed VNCs. Some VNCs allow anyone to change the values of an operational facility, like a water treatment plant, which can lead to serious physical damage. Cyble said,
« Remotely accessing the IT/OT infrastructure assets is pretty handy and has been widely adopted due to the COVID-19 Pandemic and work-from-home policies.
However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss for an organization. Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc.
Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s). Analysis from CGSI points out that recently port 5900 has been actively scanned and targeted by the attackers, which can also result in ransomware attacks on critical infrastructure in the near future. »