Friday, May 24, 2024

VNC Is The Hacker’s New Remote Desktop Tool For Cyber Attacks

While facilitating remote work, remote desktop software presents security challenges for IT teams due to the use of various tools and ports.

The multitude of ports makes it difficult to monitor for malicious traffic. 

Weak credentials and software vulnerabilities are exploited to gain access to user systems.

Hackers may also use technical support scams to trick users into granting access.  

The Most Targeted Remote Desktop Tools In The Last 12 Months

Researchers identified VNC, a platform-independent remote desktop tool using RFB protocol, as the most targeted remote desktop application (98% of traffic).

The attacks leveraged weak passwords and a critical vulnerability (CVE-2006-2369) in RealVNC 4.1.1, allowing authentication bypass. 

Over 99% of attacks targeted unsecured HTTP ports rather than TCP ports used for application data exchange, which suggests attackers exploit the inherent lack of authentication on HTTP for unauthorized access.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The security of VNCs varies depending on the specific software, while some offer weak password limitations, others leverage SSH or VPN tunnelling for encryption.

VNC uses a base port (5800 for TCP, 5900 for HTTP) with an additive display number, making it difficult to secure with firewalls compared to single-port remote desktop solutions. 

Additionally, pinpointing the origin of VNC attacks is challenging due to attackers using proxies and VPNs, but a significant portion seems to originate from China. 

Attackers target RDP, a remote desktop protocol, for credential-based attacks and exploit vulnerabilities to execute malicious code, as RDP is more likely to be involved in large attacks compared to VNC. 

Flaws Exploited

In one study, 15% of RDP attacks leveraged obsolete cookies, possibly to target older, more vulnerable RDP software,  and RDP vulnerabilities like CVE-2018-0886 (targeting credential security), CVE-2019-0708 (with worm potential), and CVE-2019-0887 (hypervisor access) have been reported by Barracuda

Attackers exploit vulnerabilities in RDP to gain access to systems. Brute-force attacks are common, targeting password hashes for privileged accounts. RDP can also be used to launch denial-of-service attacks. 

In social engineering scams, attackers convince users to grant RDP access to fix fake technical problems, and vulnerable RDP instances are sold on the black market for further attacks.

North America is a leading source of RDP attacks, but location tracking is difficult due to anonymizing techniques. 

TeamViewer, a remote desktop tool, rarely encounters attacks (0.1% of traffic). Recent versions target enterprises and integrate with business applications, offering security features like fingerprinting, strong password enforcement, and multi-factor authentication. 

Encrypted communication channels further enhance security. However, phished credentials and technical support scams can still compromise TeamViewer sessions and may use ports beyond the primary port 5938, making malicious traffic detection more challenging for security teams. 

Citrix created ICA as an alternative to RDP. It uses ports 1494 and 2598, while older ICA clients and the ICA Proxy have had RCE vulnerabilities. 

AnyDesk, another RDP solution, uses port 6568 and has been abused in tech support scams and malware, while Splashtop Remote, using port 6783, has been involved in support scams and can be compromised through weak credentials.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Website

Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles