Researchers at Cyble have discovered at least 9,000 exposed Virtual Network Computing (VNC) endpoints that can be accessed without authentication, allowing threat actors easy access to internal networks. These platform-independent systems offer control of remote computers via Remote Frame Buffer protocol (RFB) over a network connection. If these endpoints aren’t fully secured with a password, they can be used as an entry point for unauthorized users. Cyble’s report stated, “Researchers were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control and Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet.” Cyble began monitoring for attacks on the default port for VNC and found over six million requests over one month. Demand for accessing critical networks is high on hacker forums with users asking to buy VNC access and others providing instructions on how to find exposed VNCs.
Cyble’s investigation only focused on instances that had the authentication layer completely disabled. Weak passwords are also a concern around VNC security. If easy to crack passwords were also included in the investigation, the number of vulnerable instances would increase dramatically. It is important to note that VNC products do not support passwords longer than eight characters, so they are inherently insecure even if encrypted. VNC administrators are advised to never expose servers directly to the internet and always add a password to restrict access. At the very least, they should place them behind a VPN to secure access to the servers.