Monitoring Virtual Network Computing – Security Spotlight

The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.

In this Security Spotlight, we’ll be talking about monitoring Virtual Network Computing for misuse (MITRE Technique T1021.005).

What is Virtual Network Computing (VNC)?

VNC is a platform-independent desktop sharing system that enables individuals to remotely control another computer via the Remote Frame Buffer protocol (RFB) over a network connection. While similar to the Remote Desktop Protocol (RDP), this system utilizes a more focused scope compared to the RDP’s full resource-sharing approach. It is important to note that, by default, VNC uses system credentials for authentication.

VNC is a popular choice for providing remote technical support, especially as we increasingly shift towards a permanent working model. While originally developed by a research lab in Cambridge, VNC’s open source code has allowed for a number of variants to be developed, optimizing the tool for specific use cases.

Why You Need to Monitor for the Misuse of VNC

VNC is primarily utilized as a means of persistence or exfiltration after a victim has been compromised. However, if the endpoints lack proper password protection, they can serve as vulnerable entry points for unauthorized users, including threat actors with malicious intent. Unfortunately, as recently as August 2022, there are still reports of exposed VNC servers.

The reasons behind such lax security posture can vary and may stem from negligence, human error, or, more worryingly, a decision made for the sake of convenience. Sacrificing a business’ security posture in favor of efficiency or speed is an ongoing concern for most organizations. With this in mind, it is crucial to implement monitoring of potential areas of weakness.

Shuckworm, also known as Gamaredon, is an espionage collective that has been active since 2013 and is suspected of being backed by the Russian government. Despite VNC being primarily known for its legitimate remote desktop sharing capabilities, Shuckworm has repurposed it for its malicious activities.

Shuckworm has done this by incorporating a customized VNC module in its campaigns, enabling it to sustain its presence on infiltrated systems and facilitate data exfiltration. The payload module it deploys establishes a reverse connection to the attacker’s infrastructure, providing them with unrestrained control over the victim system.

How Can LogRhythm Help You?

To monitor for misuse, the Analytic Co-Pilot team has developed a pair of rules designed for monitoring VNC usage on both the LogRhythm SIEM and LogRhythm Axon platforms. The first rule leverages Sysmon logging to detect any instances of VNC activity on a host at the point of process creation. This serves as an early warning system to flag potential malicious activity before a significant compromise takes place.

Recognizing that such rules are sometimes deployed only after the initial compromise has occurred, the team has created a second rule that monitors for the VNC application within firewall rules, monitoring for both inbound and outbound traffic.

Both these rules were developed using a live VNC deployment to ensure that they triggered as intended when the expected traffic was seen.

For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rules into your platform.For other Security Spotlight episodes, you can access the full playlist here.