Remote desktop software allows employees to connect into their computer network without being physically linked to the host device or even in the same location. This makes it a useful tool for a distributed or remote workforce. Unfortunately, remote desktop software is also a prime target for cyberattack.
Among the security challenges facing IT teams implementing remote desktop software is that there are many different tools available, each using different and sometimes several ports to operate. Ports are virtual connection points that allow computers to differentiate between different kinds of traffic. The use of multiple ports can make it harder for IT security teams to monitor for and spot malicious connections and subsequent intrusion.
The simplest and most ubiquitous attack method used against remote desktop software is the abuse use of weak, reused, and/or phished credentials. These offer an attacker immediate access to the systems the user has access to. Remote desktop software implementations can also be vulnerable to software bug exploits and technical support scams.
In this article, we look at the most common tools, associated ports, and the ways in which attackers can, and do, gain access.
The most targeted remote desktop tools in the last 12 months
Virtual Network Computing (VNC) – Ports 5800+, 5900+
VNC, which uses the RFB protocol, is a widely used tool that is platform independent. This allows users and devices to connect to servers regardless of the operating system(s). VNC is used as the base software for, among others, Apple’s remote desktop and screen sharing solutions. It is also used extensively in critical infrastructure industries, such as utilities, which are a growing target for cyberattack.
According to Barracuda data sources, VNC was by far the most targeted remote desktop tool in the last year, accounting for 98% of the traffic across all remote desktop specific ports.
More than 99% of these attack attempts were aimed at HTTP ports, with the remaining 1% targeting TCP (transfer control protocol). This is likely because HTTP, the protocol used to access websites, requires no specific authentication, unlike TCP, which is used for data exchange between apps and devices.
Most of the observed attacks against VNC tried to brute force weak and reused passwords. The most common vulnerability targeted by attacks was CVE-2006-2369, which allows an attacker to bypass authentication in the 18-year-old RealVNC 4.1.1.
VNC encompasses several software offerings, and each can differ slightly in terms of features and functionality. Some have an 8-character limit for passwords, which can make cracking the password to gain access significantly easier for attackers. By default, VNC traffic is not encrypted, but some solutions used secure shell, SSH, or VPN tunneling to encrypt traffic, which helps to strengthen security.
VNC has a range of ports that it can use. The base ports are 5800 for TCP connections and 5900 for HTTP, but the display number (referred to as N in the specification) is added to the base port to allow connecting to different displays. The physical display is 0, which maps to the base ports, but connections and attacks can leverage higher port numbers as well. This complicates things from a security perspective since there aren’t one or two strictly defined ports to account for like in other remote desktop solutions.
The geographical source of the attacks is difficult to establish accurately because many attackers use proxies or VPNs to disguise their true origins. However, within that constraint it appears that around 60% of malicious traffic targeting VNC came from China.
Remote Desktop Protocol – Port 3389
RDP is a relatively common, proprietary protocol created by Microsoft for remote desktop use. RDP accounted for about 1.6% of the attempted attacks we detected against remote desktop tools in the last year. However, larger attacks against networks and data are more likely to involve RDP than VNC.
RDP attacks are often used to deploy malware, most often ransomware or cryptominers, or to harness vulnerable machines as part of DDoS attacks.
Around one in six (15%) of the attack attempts involved an obsolete cookie. This may be a deliberate tactic to help the attackers identify older, and therefore likely more vulnerable, versions of the RDP software for additional attacks.
Like other remote desktop services, RDP is mainly targeted with credential-based attacks. However, a few severe vulnerabilities have been reported over the years that enable remote code execution (RCE) on the target system. Some notable vulnerabilities include CVE-2018-0886, which affected the credential security support provider (CredSSP) used for RDP authentication; CVE-2019-0708, also known as BlueKeep, which was capable of being turned into a worm (although no in-the-wild worms have been reported); and CVE-2019-0887, which offered attackers a means to escape Hyper-V virtual machine instances to gain access to the hypervisor.
It is also possible for attackers to use RDP to gain password hashes for more privileged accounts that can manage workstations. This can be as part of an attack against a system with an RDP server enabled, or for privilege escalation by enabling RDP on a system that an attacker has already compromised.
However, despite these potentially high-risk RCE vulnerabilities, most exploit attempts observed against RDP were denial-of-service vulnerabilities, which accounted for 9% of the traffic observed.
RDP is also used in Microsoft Support vishing (voice/phone phishing) attacks that aim to scam users by convincing targets that their machine is having technical issues that the attacker can fix if RDP access is enabled and granted to them. There is also an underground market for vulnerable or cracked RDP instances for other attackers to use as they see fit, often fetching several dollars per instance.
The data suggests that most attack attempts against RDP originated in North America (accounting for roughly 42% of attacks), followed by China and India, although — as mentioned above — the use of proxies or VPNs can obfuscate the actual source of attacks.
TeamViewer – Port 5938
Attacks targeting TeamViewer accounted for 0.1% of malicious traffic across all remote desktop ports covered by our data sources. The few attacks detected involved the Log4Shell vulnerability and appeared to target the tool’s central management hub, the Frontline Command Center, which seems to be the only TeamViewer application using Java.
The most recent versions of TeamViewer are aimed at enterprise use and integration with Microsoft Teams, Salesforce, and ServiceNow, among others. As an enterprise offering, TeamViewer offers more security features such as device fingerprinting, automatically generated credentials (which prevent weak or reused passwords), exponential backoff for incorrect credentials (increasing the wait time exponentially every time incorrect credentials are used, which protects against brute-force attacks), and multifactor authentication (MFA). All traffic between the TeamViewer client and server is also encrypted to enhance security.
Despite these protections, however, TeamViewer is still sometimes used in or targeted by attacks. This is often down to phished or insecurely shared credentials. TeamViewer is also sometimes used in technical support scams.
In addition to port 5938, ports 80 and 443 may also be used with TeamViewer. This can make it more difficult for the security team to detect malicious connections on the network.
Independent Computing Architecture (ICA) – Ports 1494, 2598
ICA is a remote desktop protocol created by Citrix as an alternative to RDP, although the Citrix solutions using ICA typically also support RDP. Port 1494 is used for inbound ICA connections. ICA can also be encapsulated in Citrix’s Common Gateway Protocol, which uses port 2598. Some past versions of the ICA client carried RCE vulnerabilities. A more general RCE vulnerability, CVE-2023-3519, also affected the ICA Proxy and was used by attackers to create web shells on affected systems.
AnyDesk – Port 6568
AnyDesk is another remote desktop solution that has been used for tech support scams as well as mobile banking customer service scams. It was bundled into a few ransomware variants in 2018, possibly to confuse malware detection systems as to the malware’s true purpose. In addition to port 6568, it can also use ports 80 or 443.
Splashtop Remote – Port 6783
Although it accounted for the least attempted attack traffic among remote desktop solutions, Splashtop Remote has been used in support scams. It can also be compromised using weak, reused, or phished credentials.
Reducing the risk
Defense-in-depth security solutions that can spot suspicious port traffic across the network are critical. This should be complemented by robust security policies and programs, such as restricting remote service access to those who need it, using secure connections such as a VPN, and regularly updating software with the latest patches. Authentication methods should include the use of strong passwords with multifactor authentication (MFA) as a minimum. Moving to a Zero Trust approach would be ideal.
Standardizing on a specific remote desktop solution across the organization will enable the IT team to focus resources on managing, monitoring, and securing the associated ports, blocking other traffic.
Photo: marvent / Shutterstock