Press Release Cyber Crime & Forensic Identity & Access Threat Detection & Defense

Barracuda: 98% of Remote Desktop Attacks Hit VNC with Most Coming from China

CSA Editorial May 27, 2024

2 minutes read

Cross-platform VNC tools accounted for 98% of remote desktop attacks last year, with around 60% coming from China, according to a new Threat Spotlight report from Barracuda Networks, Inc., a trusted partner and leading provider of cloud-first security solutions.

The new Threat Spotlight looks at the remote desktop tools most targeted by attackers over the last year and the security gaps that enable intruders to gain access. The findings show that Virtual Network Computing (VNC) was by far the most targeted remote desktop tool according to Barracuda’s data last year, accounting for 98% of the traffic across all remote desktop-specific ports.

VNC is platform-independent and allows users and devices to connect to servers regardless of the operating system(s). VNC is used extensively in critical infrastructure industries, such as utilities, which are a growing target for cyberattacks.

The simplest and most ubiquitous attack method used against remote desktop software, including VNC, is the abuse of weak, reused, and/or phished credentials. These offer an attacker immediate access to the systems the user has access to. Remote desktop software implementations can also be vulnerable to software bug exploits and technical support scams.

The geographical source of the VNC attacks is difficult to establish accurately because many attackers use proxies or VPNs to disguise their true origins. However, within that constraint, it appears that around 60% of malicious traffic targeting VNC came from China.

The next most targeted tool was the Remote Desktop Protocol (RDP), accounting for about 1.6% of the attempted attacks detected. RDP is a relatively common, proprietary protocol created by Microsoft for remote desktop use.

Larger attacks against networks and data are more likely to involve RDP than VNC. For example, RDP attacks are often used to deploy malware, most often ransomware or crypto miners, or to harness vulnerable machines as part of DDoS attacks. RDP is also used in Microsoft Support vishing (voice/phone phishing) attacks that aim to scam users by convincing targets that their machine is having technical issues that the attacker can fix if RDP access is enabled and granted to them.

Other remote desktop tools targeted by attackers included TeamViewer, Independent Computing Architecture (ICA), AnyDesk, and Splashtop Remote.
“Remote desktop solutions are useful and popular business tools that allow employees to connect to their computer network from wherever they are. Unfortunately, they are also a prime target for cyberattack,” said Jonathan Tanner, Senior Security Researcher at Barracuda.

“There are many different tools available, each using different and sometimes several virtual connection points, or ports, which make it harder for IT security teams to monitor for malicious connections and subsequent intrusion. Standardising on one remote desktop solution across the organisation will enable the IT team to focus resources on managing, monitoring, and securing the associated ports, blocking other traffic.”

Barracuda also recommends implementing defence-in-depth security solutions that can spot suspicious port traffic across the network. This should be complemented by robust security policies and programs, such as restricting remote service access to those who need it, using secure connections such as a VPN, and regularly updating software with the latest patches. Authentication methods should include the use of strong passwords, with multifactor authentication (MFA) as a minimum, ideally moving to a Zero Trust approach.