Remote access software is required to support a
distributed or remote workforce, but are also prime targets for cyberattacks. Barracuda’s study examined the most common tools, associated ports, and ways attackers can gain unauthorized access.
Tools for remote computer access, such as Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP), have become key tools to support remote workers and edge devices. They are also widely used in industries where infrastructure is critical, allowing users and devices to connect to servers, regardless of the platform used. However, their popularity and affordability make them preferred attack vectors for hackers.
In his latest study entitled Threat Spotlight, Barracuda reviewed the remote access tools that were most targeted by cybercriminals over the past year, also highlighting the security flaws that allowed them to break into systems. The results of this analysis show that virtual network computing (VNC) are by far the most targeted tools, accounting for 98% of all traffic across all designated hotspots in 2023, according to data collected by Barracuda.
60% of malicious traffic comes from China
Attacks on remote access tools can take many forms, but the most common and simplest way is to abuse weakly protected, reused, or spoofed credentials. By exploiting the victim user’s access, an attacker gains instant access to various systems, which can lead to disastrous consequences for businesses and individuals.
As for the geographical areas where these attacks on VNCs originate, “It is difficult to determine their exact origin because many cybercriminals use proxies or VPNs to hide their true location.”, the report says. However, around 60% of the malicious traffic targeting VNCs appears to originate from China.
Virtual Network Computing (VNC) – ports 5800+, 5900+
VNC, which uses the RFB protocol, allows users and devices to connect to servers regardless of the operating system being used. It is used as the core software for, among others, Apple’s split-screen remote access solutions. It is also widely used in critical infrastructure industries, such as utilities, which are increasingly targeted by cyberattacks.
According to Barracuda data sources, VNC was by far the most targeted remote access tool over the past year, accounting for 98% of traffic on all ports specific to remote access. Over 99% of these attack attempts targeted HTTP ports, with the remaining one percent targeting TCP (transfer control protocol). This is probably because HTTP, the protocol used to access web pages, does not require any special authentication, unlike TCP, which is used to exchange data between applications and devices.
Most of the observed attacks against VNC involved forcing weak and reused passwords. The most common vulnerability targeted by attacks was
CVE-2006-2369, which allows an attacker to bypass authentication in RealVNC 4.1.1. 18-year-old technology.
VNC includes several versions of the software, each of which may differ slightly in terms of functionality and operation. Some have an 8-character limit for passwords, which can make it much easier for attackers to crack passwords. By default VNC traffic is not encrypted, but some solutions use an encrypted tunnel such as Secure Shell (SSH) or a Virtual Private Network (VPN) for added security.
Remote Desktop Protocol (RDP) – port 3389
RDP is a relatively common, proprietary protocol created by Microsoft for using remote desktop access. RDP is responsible for approximately 1.6% of attack attempts detected over the past year. However, larger network and data attacks are more likely to involve RDP than VNC. RDP attacks are often used for deployment software malware, most commonly ransomware or cryptocurrency miners, or to exploit vulnerable machines in distributed denial of service (DDoS) attacks.
About one in six attempted attacks (15%) involved an outdated cookie. It’s about
perhaps a deliberate tactic to help attackers identify older, and therefore likely more vulnerable, versions of RDP software.
Like other remote access services, RDP is primarily a target of credential-based attacks. However, several serious vulnerabilities that allow remote code execution (RCE) on a target system have been reported over the years. Some notable vulnerabilities include CVE-2018-0886, which affected the Credential Security Provider (CredSSP) used for RDP authentication (CVE-2019-0708), also known as BlueKeep, which could be transformed into a worm (although there are no worms in were recorded wild); and CVE-2019-0887, which allowed attackers to bypass Hyper-V virtual machine instances to gain access to the hypervisor.
Most of the attempts against RDP come from North America
It is also possible for attackers to use RDP to obtain password hashes for more privileged accounts that can manage workstations. This can be part of an attack on a system with an RDP server enabled, or to escalate privileges by enabling RDP on a system that the attacker has already compromised.
However, despite these potentially high-risk RCE vulnerabilities, the majority of exploit attempts observed against RDP were denial-of-service vulnerabilities, which accounted for 9% of observed traffic.
RDP is also used in Microsoft Support vishing attacks that aim to trick users into believing their machine has technical problems that the attacker can fix if given RDP access. There is also an underground market for vulnerable or cracked RDP instances that other attackers can use as they wish, often for a few dollars per instance.
The data suggests that the majority of RDP attack attempts came from North America (which accounts for approximately 42% of attacks), followed by China and India, although as mentioned above, using a proxy or VPN can mask the true source of the attack.
TeamViewer — port 5938
Attacks targeting TeamViewer are responsible for 0.1% of malicious traffic on all remote access ports covered by Barracuda data sources. Several of the discovered attacks involved the vulnerability Log4Shell and appeared to target TeamViewer’s central control center, Frontline Command Center, which appears to be the only TeamViewer application that uses Java.
The latest versions of TeamViewer are intended for business use and integration with Microsoft Teams, Salesforce and ServiceNow, among others. As a business offering, TeamViewer offers specific security features such as device fingerprinting, auto-generated credentials (which prevent weak or reused passwords), exponential rollback for incorrect credentials (which exponentially increases the wait time every time incorrect credentials are used , protecting against brute force attacks) and multi-factor authentication (MFA). All traffic between TeamViewer client and server is also encrypted for added security.
Despite these protections, TeamViewer is the target of attacks. This is often the result of credential theft or insecure sharing. TeamViewer is also used in tech support scams.
In addition to port 5938, ports 80 and 443 can also be used with TeamViewer, which can make it difficult for the security team to detect malicious connections on the network.
Independent Computing Architecture (ICA) – ports 1494, 2598
ICA is a remote access protocol created by Citrix as an alternative to RDP, although Citrix solutions that use ICA typically support RDP. Port 1494 is used for incoming ICA connections. ICA can also be encapsulated in Citrix’s Common Gateway protocol, which uses port 2598.
Some previous versions of the ICA client had RCE vulnerabilities. A more general RCE vulnerability, CVE-2023-3519, also affected the ICA proxy and was exploited by attackers to create web shells on affected systems.
AnyDesk – Port 6568
AnyDesk is another remote access solution that has been used in tech support scams as well as mobile banking customer service scams. In 2018, AnyDesk was integrated into several ransomware variants, presumably to deceive malware detection systems as to the true purpose of the malware. In addition to port 6568, it can also use ports 80 or 443.
Splashtop Remote — Port 6783
Although it represented the fewest attack attempts among remote access solutions, Splashtop Remote was used in tech support scams. It can also be compromised by using weak, reused or fake passwords.