Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

"Open" Access to Industrial Systems Interface is Also Far From Zero

Published: 2021-05-14
Last Updated: 2021-05-14 05:35:22 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Jan's last diary about the recent attack against the US pipeline[1] was in perfect timing with the quick research I was preparing for a few weeks. If core components of industrial systems are less exposed in the wild, as said Jan, there is another issue with such infrastructures: remote access tools. Today, buildings, factories, farms must be controlled remotely or sometimes managed by third parties. If Microsoft RDP is common on many networks (and is often the weakest link in a classic attack like ransomware), there is another protocol that is heavily used to remote control industrial systems: VNC ("Virtual Network Computing")[2]. This protocol works with many different operating systems (clients and servers), is simple and efficient. For many companies developing industrial systems, It is a good candidate to offer remote access. 

To give you an idea of the VNC popularity on the Internet, Shodan report this number of available systems:

  • Port 5900: 907.387 hosts
  • Port 5901: 738.545 hosts

Note: VNC uses by default the port 5900+n, where n is the display number (usually :0 for a physical display).

I had a look at open port 5900 & 5901 and captured 655K exposed VNC servers. Don't take me wrong, I don't say that VNC is bad. I still use it almost weekly but, like all tools, it must be configured and used in a proper way. Read: access must be restricted (passwords, access-lists) and traffic encrypted. My next step was to hunt for open VNC console (without any authentication). I did not brute force passwords or tried even simple passwords like "admin". I used the tool vncsnapshot[3] to take screenshots of non-protected systems through the Tor Network. 

Based on the sample screenshots below, you realize that many organizations are at risk, and many bad stories like the US pipeline attack will continue to raise in the news...

[1] https://isc.sans.edu/forums/diary/Number+of+industrial+control+systems+on+the+internet+is+lower+then+in+2020but+still+far+from+zero/27412/
[2] https://en.wikipedia.org/wiki/Virtual_Network_Computing
[3] https://github.com/IDNT/vncsnapshot

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Number of industrial control systems on the internet is lower then in 2020...but still far from zero
May 12th 2021
3 days ago by Jan (0 comments)

Microsoft May 2021 Patch Tuesday
May 11th 2021
4 days ago by Renato (0 comments)

Correctly Validating IP Addresses: Why encoding matters for input validation.
May 10th 2021
5 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

API port data
created Apr 25th 2021
3 weeks ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
1 month ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
2 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
2 months ago by astraea (0 replies)

PFSense
created Dec 23rd 2020
4 months ago by bas.auer@auerplace.nl (6 replies)

View All Forums →

Latest News

Top Diaries

Maldocs: Protection Passwords
Feb 28th 2021
2 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Qakbot infection with Cobalt Strike
Mar 3rd 2021
2 months ago by Brad (0 comments)

Fun with DNS over TLS (DoT)
Mar 1st 2021
2 months ago by Rob VandenBrink (0 comments)

Adversary Simulation with Sim
Mar 2nd 2021
2 months ago by Russ McRee (0 comments)