Researchers at Cyble discovered over 8,000 exposed VNC (virtual network computing) endpoints that allow access to networks without authentication. VNC is a graphical desktop-sharing system that allows control of another machine remotely. It mirrors graphical screen changes as well as keyboard and mouse inputs from one machine to another. Many of the exposed VNC’s found belonged to industrial control systems that should never be exposed.
“the exposed VNCs found during the time of analysis belong to various organizations that come under Critical Infrastructures such as water treatment plants, manufacturing plants, research facilities, etc. During the course of the investigation, researchers were able to narrow down multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet.…
“A successful cyberattack by any ransomware, data extortion, Advanced Persistent Threat (APT) groups, or other sophisticated cybercriminals is usually preceded by an initial compromise into the victim’s enterprise network. An organization leaving exposed VNCs over the internet broadens the scope for attackers and drastically increases the likelihood of cyber incidents.
“Our investigation found that selling, buying, and distributing exposed assets connected via VNCs are frequently on cybercrime forums and markets.”
This a massive risk to ICS safety and operations, as antiquated ICS systems are connected to IT and the internet. And this is a growing problem as well because unless these systems have been audited, they may not be aware they are even running a VNC service. Traditionally, OT systems were assumed to be secure because they were isolated from the internet and other enterprise IT systems. OT systems were “air gapped” from IT systems by being physically separated. Although this did not render cyberattacks impossible, it made attacking OT systems difficult and time-consuming, which made compromising those systems less likely. In the years since, however, IT and OT systems have converged, combining the use of IT and ICS protocols. That convergence has increased vulnerabilities and made OT systems, many of which were never intended to be connected to the internet, a more available and attractive target for threat actors.
Critical infrastructure organizations can maintain secure and frictionless remote access with a zero-trust architecture using strategies such as protocol isolation, integrated MFA, role-based and time-based access controls, site level moderated access, user session analytics, and more. In industrial settings, the need for protocol isolation is urgent. The air gaps that once existed between OT and IT systems must be effectively replicated so the OT network is still protected while also providing frictionless and efficient remote operations. Organizations that use legacy, unencrypted protocols open the door for malicious actors to harvest credentials and move throughout the network and find vulnerable systems. Isolating protocols and functions, along with segmenting the network, will limit what threat actors can do once inside the network.
As the Cyble report illustrates, critical infrastructure industries that utilize ICS SCADA systems and IoT devices can present appealing soft targets, especially with exposed VNCs. A key strategy for avoidance is using stealth networking which obfuscates source to destination relationships as well as sensitive data flows. Such technology can assure full privacy and anonymity of all protected OT assets without adversely impacting their ability to communicate. This makes it virtually impossible for a threat actor to detect or target such systems even with exposed VNC and other vulnerabilities adding defense in depth to the infrastructure.