Thousands of virtual network computing instances have been found exposed online without the need for authentication, potentially allowing attackers to gain access to and take over networks easily.

As detailed Friday by researchers at Cyble Inc., the issue is how VNC uses the Remote Frame Buffer protocol to provide control of a remote machine over a network. In this case, the protocol was found not to be password-protected, despite the ability to establish a password.

The RFB endpoints are accessible via port 5900, with more than 8,000 VNC instances exposed online, but the true number could be higher yet. Notably, the lack of password protection is the result of the feature being disabled by VNC users as opposed to being an installation issue or similar oversight on the VNC side.

The exposed VNC instances were primarily located in five countries: China, Sweden, the U.S., Spain and Brazil. Some of the exposed VNC instances were companies in the critical infrastructure sector, including water treatment plants, manufacturers and research facilities. Through the exposed VNC instances, the researchers also identified multiple human-machine interface systems, supervisory control and data acquisitions or SCADA systems and workstations that were connected to the internet using VNC.

Using the exposed VNC instances, attackers could potentially compromise industrial control systems, disrupt supply chain processes and more. A highly malicious attacker or advanced persistent threat group could even go as far as causing real-world damage to infrastructure to the point of causing the death of critical infrastructure employees.

“Exposed VNCs from critical organizations put the national security, economy, energy and transportation sectors at high risk of cyberattacks,” the researchers said. “It is advised that organizations using VNC and similar products should ensure that their ports and services are not exposed online and are appropriately secured.”

Tim Silverline, vice president of security at network automation solutions providers Gluware Inc., told SiliconANGLE that the risk is an “enormous deal” for the companies with exposed instances that have disabled authentication.

“The dangers in leaving these systems exposed without authentication is allowing anyone on the internet direct access to the internal networks of the companies and potentially with the permissions to cause immediate harm by deploying ransomware or disrupting company operations,” Silvline explained. “They talk about critical infrastructure because several of the assets which were scanned and found to be open during this exercise were in critical infrastructure companies with access to things like oil and gas lines and water pumps.”

The ability to change these settings remotely could have “devastating and potentially life-impacting consequences,” Silverline added. “Leaving systems with these kinds of capabilities open for anyone to connect to dramatically increases the likelihood for similar attempts in the future.”

Image: Cyble