The Unstoppable and Unpredictable Evolution of the Tech Industry
What are VNCs? Virtual Network Computing (VNC) is a cross-platform tool that allows for remote screen sharing. Unfortunately, hackers have found ways to exploit VNC, turning it into a powerful tool for cyberattacks. Let's dive into how this happens.
Researchers have identified VNC as the most targeted remote desktop application, with 98% of related traffic being malicious. These attacks often exploit weak passwords and a critical vulnerability (CVE-2006-2369) in RealVNC 4.1.1, which allows for authentication bypass.
Interestingly, over 99% of these attacks target unsecured HTTP ports rather than the TCP ports used for application data exchange. This suggests that attackers exploit the inherent lack of authentication on HTTP to gain unauthorized access. The security of VNCs varies depending on the specific software; while some have weak password limitations, others use SSH or VPN tunneling for encryption.
VNC uses a base port (5800 for TCP, 5900 for HTTP) with an additive display number, making it more difficult to secure with firewalls compared to single-port remote desktop solutions.
Tracking the origin of VNC attacks is challenging because attackers often use proxies and VPNs, but a significant portion seems to originate from China. In one study, 15% of RDP attacks leveraged obsolete cookies, likely targeting older, more vulnerable RDP software. RDP vulnerabilities such as CVE-2018-0886 (credential security), CVE-2019-0708 (worm potential), and CVE-2019-0887 (hypervisor access) have been reported by Barracuda.
Attackers exploit RDP vulnerabilities to gain access to systems. Brute-force attacks are common, targeting password hashes for privileged accounts. RDP can also be used to launch denial-of-service attacks. Social engineering scams are another threat, where attackers convince users to grant RDP access to fix fake technical problems. Vulnerable RDP instances are often sold on the black market for further attacks.
North America is a leading source of RDP attacks, but tracking these attacks is difficult due to anonymizing techniques.
TeamViewer, another remote desktop tool, rarely encounters attacks (0.1% of traffic). Recent versions target enterprises and integrate with business applications, offering security features like fingerprinting, strong password enforcement, and multi-factor authentication. Encrypted communication channels further enhance security. However, phished credentials and technical support scams can still compromise TeamViewer sessions, which may use ports beyond the primary port 5938, making malicious traffic detection more challenging for security teams.
Citrix developed ICA as an alternative to RDP, using ports 1494 and 2598. However, older ICA clients and the ICA Proxy have had remote code execution (RCE) vulnerabilities.
Thank you for reading this blog! This blog wouldn't be possible without our sponsor Surfshark.
Protect Your Digital Life with Surfshark One
As we embrace these exciting technologies, securing our digital life becomes crucial. Surfshark One offers a comprehensive security solution with features like VPN, antivirus, and data breach alerts. Enjoy an exclusive offer: 78% off plus 3 extra months for just $3.19 per month through this link.
Claim Your Surfshark Offer Here |
You guys know it won't be a complete blog from me if I don't give credit where its due:
GBHacker |