Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
The VNC system is a common target for attackers because VNC provides remote access to other devices over the Remote Frame Buffer (RFB) protocol. If an attacker has VNC credentials for several devices on the network, they can easily open multiple VNC sessions. Then, they could laterally move across the network and possibly gain full remote desktop access to a critical device with an administrator account.
The system might change the risk score for this detection.
Kill Chain
Risk Score
37
Remote desktop-sharing systems, such as VNC, can enable an attacker to laterally move across a network, from one compromised device to the next, or they can provide an attacker direct access to a critical device. First, the attacker sends a connection request over RFB to VNC-enabled devices and then attempts to log in, either with stolen VNC credentials or by exploiting a vulnerability. If successful, the attacker can remotely run commands or code from the desktop, transfer unauthorized files, attempt data exfiltration, or take control of critical assets.
Only allow inbound external VNC connections from trusted devices
Limit the number of VNC login attempts and then block users that exceed this number
Disable or uninstall VNC on devices that do not require remote access
Enforce multi-factor authentication for remote logins
Implement microsegmentation by adding secure zones based on the zero-trust security model: partition network traffic with endpoint firewalls, virtual or software-defined networks, or physical networks
