But it should be said that VNC solutions aren’t evil by design; like anything, it’s all in the intent of the user. Take the use of threat emulation tool Cobalt Strike as the perfect parallel example – it was created so red and purple security teams could simulate attacks to test their defences, but is used today in ransomware attacks, advanced persistent threats, supply chain attacks, and more. It is regularly sold on the market to organizations for legitimate purposes but has simply been taken advantage of by cybercriminals to assist with various parts of an attack chain.
In reality, VNC-based remote control has been around for just over two decades and is available today in a number of flavors based on the open-source General Public License. Because of this, many threat actors have chosen to use this free mode of establishing remote access because of its availability and – depending on the implementation of VNC – functionality.
But, in the same way, the last 20 years of VNC’s existence have also caused organizations to realize the internal value of VNC-based solutions, beyond what you read in the cybersecurity headlines. Below are three examples of how VNC is legitimately being used today, using Microsoft Remote Desktop as a comparable.
1. Remote Desktop Replacement
Microsoft’s Remote Desktop Protocol (RDP) has given organizations an easy way to remotely access Windows desktops for years. But many organizations require a more secure method of easily accessing endpoints and servers that basic RDP just doesn’t offer (without additional service implementation), but is found within some VNC solutions. This can include multi-factor authentication, single sign-on providers, RADIUS servers, and more. Additionally, those users that are relying on a single physical endpoint to connect to (rather than session-based virtualization or a virtual desktop infrastructure) use VNC as a means to securely access their system.
2. Internal Secure Remote Access
Accessing RDP sessions is a relatively unintelligent process, where the user connects directly to the remote desktop via name or IP address, all without concern for any security or performance ramifications. Microsoft’s Remote Desktop Services can extend the use of RDP to include access via Azure, taking the remote session request across the Internet. But not all remote access sessions should traverse the Internet; the security needs of the organization may dictate that in certain circumstances, remote sessions that are internal in nature (that is, both the user and the system to be accessed exist within the corporate network) remain internal. Some VNC solutions are intelligent enough to take into consideration whether a session needs to traverse the Internet or remain internal, which can improve both the speed and security of a session.
3. Remote Support
Anyone who’s worked a support desk knows there comes a time when you need to see what the user with the problem sees in order to fix the issue. At the core of VNC’s screen-sharing technology is its Remote Frame Buffer (RFB) protocol, which allows the remote user to interact with the interactive user on the desktop. Unlike Microsoft’s Native RDP (which provides the remote user with a virtual desktop session), VNC can be used by support professionals to work with users in order to solve application issues. Now, Microsoft does have Remote Desktop Session Shadowing, but that requires the user to be supported to have a virtual desktop session on an RDS server.
Why VNC Gets a Bad Rap
While I’ve provided a few positive use-cases for VNC, the question that still remains is: “how come it’s used by the bad guys so often?”. The answer is that because VNC was originally made as an open-source project decades ago, there are dozens of reasonably good implementations today that provide basic remote access functionality.
The real question is whether VNC is limited to threat actions or whether it does have a legitimate value in organizations today. A lot of that depends on which VNC-based remote access solution you’re using. MITRE does mention a few specific implementations of VNC – usually, ones that are free to use; which makes sense, as cybercriminals aren’t exactly looking to pay for the software they use and any solution that provides them the needed functionality – especially if it costs them nothing – is perfectly suited for their purposes.
Seeing VNC Beyond Its Misuse
The reality here is VNC itself shouldn’t be measured not for how it’s misused; take whatever litmus test you use to determine whether Cobalt Strike is bad and apply it here. Instead, consider a given VNC solution for its capabilities, security, and support, and whether it meets the organization’s needs, treating it like any other software solution of any kind.