News
Cross-platform VNC tool accounted for 98% of remote desktop attacks seen by Barracuda last year, most coming from China
May 2024 by Barracuda Networks
A new Threat Spotlight from Barracuda looks at the remote desktop tools most targeted by attackers over the last year and the security gaps that enable intruders to gain access. The findings show that Virtual Network Computing (VNC) was by far the most targeted remote desktop tool according to Barracuda’s data last year, accounting for 98% of the traffic across all remote desktop-specific ports.
VNC is platform independent and allows users and devices to connect to servers regardless of the operating system(s). VNC is used extensively in critical infrastructure industries, such as utilities, which are a growing target for cyberattack.
The simplest and most ubiquitous attack method used against remote desktop software, including VNC, is the abuse of weak, reused, and/or phished credentials. These offer an attacker immediate access to the systems the user has access to. Remote desktop software implementations can also be vulnerable to software bug exploits and technical support scams.
The geographical source of the VNC attacks is difficult to establish accurately because many attackers use proxies or VPNs to disguise their true origins. However, within that constraint it appears that around 60% of malicious traffic targeting VNC came from China.
The next most targeted tool was the Remote Desktop Protocol (RDP), accounting for about 1.6% of the attempted attacks detected. RDP is a relatively common, proprietary protocol created by Microsoft for remote desktop use.
Larger attacks against networks and data are more likely to involve RDP than VNC. For example, RDP attacks are often used to deploy malware, most often ransomware or cryptominers, or to harness vulnerable machines as part of DDoS attacks. RDP is also used in Microsoft Support vishing (voice/phone phishing) attacks that aim to scam users by convincing targets that their machine is having technical issues that the attacker can fix if RDP access is enabled and granted to them.
Other remote desktop tools targeted by attackers included TeamViewer, Independent Computing Architecture (ICA), AnyDesk, and Splashtop Remote.
“Remote desktop solutions are useful and popular business tools that allow employees to connect into their computer network from wherever they are. Unfortunately, they are also a prime target for cyberattack,” said Jonathan Tanner, Senior Security Researcher at Barracuda. “There are many different tools available, each using different and sometimes several virtual connection points, or ports, which make it harder for IT security teams to monitor for malicious connections and subsequent intrusion. Standardizing on one remote desktop solution across the organization will enable the IT team to focus resources on managing, monitoring, and securing the associated ports, blocking other traffic.”
Barracuda also recommends implementing defense-in-depth security solutions that can spot suspicious port traffic across the network. This should be complemented by robust security policies and programs, such as restricting remote service access to those who need it, using secure connections such as a VPN, and regularly updating software with the latest patches. Authentication methods should include the use of strong passwords, with multifactor authentication (MFA) as a minimum, ideally moving to a Zero Trust approach.
