© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Hacker breaches key Russian ministry in blink of an eye

2

In mere seconds, a hacker remotely accessed a computer belonging to a regional Ministry of Health in Russia, taking advantage of sloppy cybersecurity practices to expose its entire network.

Spielerkid89, who wished to remain anonymous, did not intend to harm the organization and left its systems intact. However, his experiment is a perfect example of how poor cyber hygiene can leave organizations vulnerable to cyber attacks.

Russian state-sponsored cyber attacks can be devastating and leave hundreds of thousands of the Kremlin’s foes without water or electricity.

However, evidence suggests that the rogue superstate’s cyber capabilities are as weak as its military stance in Ukraine, especially when met with resistance.

An army of pro-Ukrainian hactivists has already demonstrated how easy it is to take vital Russian services offline or intercept them with anti-war messages.

No wonder Russia has been preparing to cut itself off from the global internet, hoping to move key government institutions to a sovereign Runet – a pan-Russian web limited to the Federation – to make them less prone to cyber attacks.

Hacker snoops around the key Russian ministry

Spurred into action by the invasion of Ukraine, Spielerkid89 decided to investigate whether he could find Russian IPs with disabled authentication to fool with. By using the Shodan search engine, Spielerkid89 soon discovered an open virtual network computing (VNC) port with disabled authentication.

VNC is a desktop sharing system – you can use it to remotely access your work computer from home or any other location, or allow technical support staff to do likewise.

Ideally, VNC should be used only with authenticated users, such as system administrators. Nobody should access a computer without being properly vetted, but that seems to be a security issue that is often overlooked.

As a result, Spielerkid89 connected to a computer belonging to the Ministry of Health in the Omsk region of Russia. To remotely access a ministry employee's desktop, the hacker didn't need any password or authentication – he could access all the files and information on that computer via an open VNC port.

"I was able to access people's names, other IP addresses pointing to other computers on the network, and financial documents, too," he said.

The Cybernews research team confirmed that Spielerkid89 did indeed gain access to a computer belonging to this Russian ministry. As mentioned above, it was not his intention to harm the organization, and he left its systems intact.

A simple mistake with colossal effect

Spielerkid89 is not a threat actor, and he didn't harm the organization – he simply took a few screenshots as proof.

Computer desktop

However, his experiment illustrates how easy it is for a malicious hacker to breach an organization. By remotely accessing a computer via an open VNC port with disabled authentication, a criminal could download sensitive files, spy on other computers or servers in the network, set up services to create a backdoor, install malware, remote access Trojans, among other things.

"You can do anything you want, basically with full, unfettered access," Spielerkid89 explained.

He added that open VNC ports with disabled authentication are common cybersecurity malpractice.

"It was so easy to gain access to these systems. They shouldn't be there unauthenticated. That's a serious security breach of assets right there. I didn't need anything to get it, really," he said.

The port he used to gain entry and snoop around the Omsk ministry is now closed. However, VNC and the remote desktop protocol (RDP) remain one of the main entry points into an organization.

Information security company SecurityScorecard has developed a machine-learning model that estimates the relative likelihood of a company falling victim to a ransomware attack.

Businesses are most susceptible to such attacks through vulnerabilities that enable remote-code execution, according to the company’s vice president of cyber threat intelligence, Ryan Sherstobitoff.

"The most common ones are RDP and VNC, because access brokers essentially sell those credentials on the dark web, which would then enable a ransomware actor to get in," he told Cybernews. ”


More from Cybernews:

Microsoft pullout will hurt Russia – but the West may suffer too

Europeans push to curb 'dark patterns' in social media

Fears of Russian spying prompts Germany to ditch Kaspersky

Bot ‘myths’ expose firms to real losses

Technology in a post-pandemic world

New destructive wiper malware deployed in Ukraine

Subscribe to our newsletter


Comments

Terminator
Terminator
prefix 2 months ago
Why bother telling anybody or doing mischief. If it is not a healthcare make it ransom, if yes then only record data. Plant a seed anyway.
David from VA
David from VA
prefix 2 months ago
This article should probably be titled “Kid ‘hacker’ falls for russian honey pot”. If it seems too easy, it probably is…
Leave a Reply

Your email address will not be published. Required fields are marked