Hackers Exploit Exposed VNCs, Access Systems Without Passwords

The Cyble Global Sensor Intelligence (CGSI) shed light on desktops getting hacked using exposed Virtual Network Computing (VNC). Over 8000 incidents came to light where hackers used exposed VNC to access computers remotely.

Since these VNC endpoints did not need authentication, threat actors could access systems in several countries like China, Sweden, and the U.S. Names, IP addresses, connected devices etc., were compromised. Among the top five exposed countries, China had 1,555 VNCs, Sweden had 1,506, the U.S. had 835, Spain had 555, and Brazil had 529.

According to the report, the exposed VNCs were from critical infrastructure-related organizations, research facilities, water treatment plants, manufacturing plants, etc. This questioned the security of national data that may get into the hands of miscreants. The data from Cyble showed that on Port 5900, there was an increased number of attacks. This is based on the attacks monitored between July 9 to August 9, 2022.

The research revealed that hacking into the Ministry of Health system in the Omsk region, Russia, did not need their password. Multiple Human Machine Interface (HMI) systems, Supervisory Control and Data Acquisition Systems (SCADA), workstations etc., were compromised through the internet as they were connected using exposed VNCs. The attacks were traced back to Netherlands, Russia, and Ukraine.

Illegal buying and selling data hacked using connected exposed VNCs is on a rise. Not requiring authentication or log-in credentials such as passwords has made systems across the globe easy to be spied on using open VNC ports. Access to VNC was initially used to connect systems and remote monitoring and control computers using the Remote Frame Buffer (RFB) protocol.

Data from conversations about buying and selling access to large gaming companies and factories in ‘stock’ were unearthed. Malicious actors collect the data from search results to find organizations with exposed VNCs. They can change the settings of systems, affect the maintenance of equipment running on set credentials, and potentially damage infrastructure. This means that hackers and threat actors can also change orders and data in the systems they access, leading to confusion and impacting security measures.