Researchers have uncovered 9,000 exposed (virtual network computing) VNC endpoints that can be used or accessed without any authentication, enabling threat operator’s easy entrance to internal networks.

A VNC is a system that is platform independent and designed to help users to connect to systems that need adjustments and monitoring, providing remote computer control via remote frame buffer (RFB) protocol over a dedicated network connection.

However, if these endpoints are not properly secured with a strong password (which can happen due to error, negligence, or when a poor decision is made for ease-of use), these portals can act as entry points for unauthorised users, such as threat operators with malicious intent.

Depending on the type of systems that sit behind the vulnerable VNCs, the impact can range from minimal to devastating, and can affect a hundred users or millions.

Security weakness specialists at Cyble recently scanned the internet for web-facing VNC instances that had no password and identified more than 9,000 easily accessible servers.

Vulnerabilities discovered

Out of the vulnerable servers found by Cyble, most were in Sweden and China, but the US, Brazil and Spain were also included in the top five, each with a substantial number of unprotected VNCs.

Making matters worse, the vulnerability hunters found that some of the exposed VNCs were for industrial control systems, solutions that must never be exposed online.

Cyble’s report commented:

“During the course of the investigation, researchers were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control and Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet.”

Cyble found that in one of the cases they explored, the unprotected VNC access was connected to an HMI used for controlling pumps on a remote-style SCADA system in an undesignated manufacturing unit.

To observe how often threat operators target VNC servers, the researchers used its dedicated cyber-intelligence tools that allowed it to monitor for potential attacks on the default VNC port (Port 5900). Cyble discovered that there were more than six million requests in a single month. The majority of access attempts originated from Russia, the Netherlands and the US.

High demand for access

On hacker forums, the demand for accessing vital networks through cracked or exposed VNCs is exceptionally high. The reason for this is because this type of access can, in specific circumstances, be employed to infiltrate networks more deeply.

A researcher from Cyble explained the malicious actions threat operators can take after accessing the system.

“Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network.”

When hackers discover exposed VNCs without a password, or easy-to-crack credentials, they often post them online on forums on the dark web.

Weak passwords are another concern surrounding VNC security, although Cyble’s investigation only singled out instances where the authentication layer was entirely disabled.

If unsecure servers with weak passwords were included in the firm’s investigation, it is likely that the number of vulnerable VNCs would have been even higher.