"Critical Infrastructure at Risk as Thousands of VNC Instances Exposed"

Security researchers at Cyble have warned that countless global organizations might be at risk of remote compromise after discovering more than 8000 exposed Virtual Network Computing (VNC) instances.  The researchers found that the instances were managed by critical infrastructure (CNI) organizations such as water treatment plants, manufacturing plants, and research facilities.  VNC is a cross-platform screen-sharing system which allows users to remotely control another computer.   The researchers noted that with authentication disabled as per the 8000 VNC instances, malicious actors could potentially hijack these endpoints and the industrial control systems they’re often connected to.  The researchers stated that during the investigation, they were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control and Data Acquisition (SCADA) systems, workstations, etc., connected via VNC and exposed over the internet.  The researchers noted that threat actors can utilize online search engines to narrow down victim organizations with exposed VNCs. Threat actors can also abruptly change the set points, rotations, and pump stations, resulting in loss of operations.  This can even result in disruption of the supply chain and the processes connected with the affected industries.  The researchers stated that APT actors could exploit the exposed VNC deployments not only for sabotage and reconnaissance but also data theft/extortion and ransomware.  The researchers spotted surges in attacks on Port 5900, the default for VNC, between July 9 and August 9 this year, most of which originated from the Netherlands, Russia, and Ukraine.  The countries with the most exposed VNC instances were China (1555), Sweden (1506), the US (835), Spain (555), and Brazil (529).  The researchers recommend that firms running VNCs improve security awareness training, ensure proper access policies and firewalls are in place, and ensure devices are patched and continuously monitored.

Infosecurity reports: "Critical Infrastructure at Risk as Thousands of VNC Instances Exposed"