In mere seconds, a hacker remotely accessed a computer belonging to a regional Ministry of Health in Russia, taking advantage of sloppy cybersecurity practices to expose its entire network.
Spielerkid89, who wished to remain anonymous, did not intend to harm the organization and left its systems intact. However, his experiment is a perfect example of how poor cyber hygiene can leave organizations vulnerable to cyber attacks.
Russian state-sponsored cyber attacks can be devastating and leave hundreds of thousands of the Kremlin’s foes without water or electricity.
However, evidence suggests that the rogue superstate’s cyber capabilities are as weak as its military stance in Ukraine, especially when met with resistance.
An army of pro-Ukrainian hactivists has already demonstrated how easy it is to take vital Russian services offline or intercept them with anti-war messages.
No wonder Russia has been preparing to cut itself off from the global internet, hoping to move key government institutions to a sovereign Runet – a pan-Russian web limited to the Federation – to make them less prone to cyber attacks.
Hacker snoops around the key Russian ministry
Spurred into action by the invasion of Ukraine, Spielerkid89 decided to investigate whether he could find Russian IPs with disabled authentication to fool with. By using the Shodan search engine, Spielerkid89 soon discovered an open virtual network computing (VNC) port with disabled authentication.
VNC is a desktop sharing system – you can use it to remotely access your work computer from home or any other location, or allow technical support staff to do likewise.
Ideally, VNC should be used only with authenticated users, such as system administrators. Nobody should access a computer without being properly vetted, but that seems to be a security issue that is often overlooked.
As a result, Spielerkid89 connected to a computer belonging to the Ministry of Health in the Omsk region of Russia. To remotely access a ministry employee's desktop, the hacker didn't need any password or authentication – he could access all the files and information on that computer via an open VNC port.
"I was able to access people's names, other IP addresses pointing to other computers on the network, and financial documents, too," he said.
The Cybernews research team confirmed that Spielerkid89 did indeed gain access to a computer belonging to this Russian ministry. As mentioned above, it was not his intention to harm the organization, and he left its systems intact.
A simple mistake with colossal effect
Spielerkid89 is not a threat actor, and he didn't harm the organization – he simply took a few screenshots as proof.
However, his experiment illustrates how easy it is for a malicious hacker to breach an organization. By remotely accessing a computer via an open VNC port with disabled authentication, a criminal could download sensitive files, spy on other computers or servers in the network, set up services to create a backdoor, install malware, remote access Trojans, among other things.
"You can do anything you want, basically with full, unfettered access," Spielerkid89 explained.
He added that open VNC ports with disabled authentication are common cybersecurity malpractice.
"It was so easy to gain access to these systems. They shouldn't be there unauthenticated. That's a serious security breach of assets right there. I didn't need anything to get it, really," he said.
The port he used to gain entry and snoop around the Omsk ministry is now closed. However, VNC and the remote desktop protocol (RDP) remain one of the main entry points into an organization.
Information security company SecurityScorecard has developed a machine-learning model that estimates the relative likelihood of a company falling victim to a ransomware attack.
Businesses are most susceptible to such attacks through vulnerabilities that enable remote-code execution, according to the company’s vice president of cyber threat intelligence, Ryan Sherstobitoff.
"The most common ones are RDP and VNC, because access brokers essentially sell those credentials on the dark web, which would then enable a ransomware actor to get in," he told Cybernews. ”
More from Cybernews:
Subscribe to our newsletter