TeamViewer is software program that organizations have lengthy used to allow distant assist, collaboration, and entry to endpoint gadgets. Like different official distant entry applied sciences, additionally it is one thing that attackers have used with relative frequency to realize preliminary entry on track methods.
Two tried ransomware deployment incidents that researchers at Huntress lately noticed are the most recent living proof.
Failed Ransomware Deployment Makes an attempt
The assaults that Huntress flagged focused two disparate endpoint gadgets belonging to Huntress clients. Each incidents concerned failed makes an attempt to put in what seemed to be ransomware primarily based on a leaked builder for LockBit 3.0 ransomware.
Additional investigation confirmed the attackers had gained preliminary entry to each endpoints through TeamViewer. The logs pointed to the assaults originating from an endpoint with the identical hostname, indicating the identical risk actor was behind each incidents. On one of many computer systems, the risk actor spent simply over seven minutes after gaining preliminary entry through TeamViewer, whereas on the opposite, the attacker’s session lasted greater than 10 minutes.
Huntress’ report didn’t say how the attacker may need taken management of the TeamViewer situations in each instances. However Harlan Carvey, senior risk intelligence analyst at Huntress, says that a number of the TeamViewer logins look like from legacy methods.
“The logs present no indication of logins for a number of months or weeks earlier than the risk actor’s entry,” he says. “In different situations, there are a number of official logins, in keeping with prior logins — username, workstation title, and so on. — shortly earlier than the risk actor’s login.”
Carvey says it’s attainable that the risk actor was capable of buy entry from an preliminary entry dealer (IAB), and that the credentials and connection data might have been obtained from different endpoints by means of using infostealers, a keystroke logger, or another means.
Earlier TeamViewer Cyber Incidents
There have been a number of previous incidents the place attackers have used TeamViewer in related style. One was a marketing campaign final Might by a risk actor trying to set up the XMRig cryptomining software program on methods after gaining preliminary entry through the software. One other concerned a knowledge exfiltration marketing campaign that Huntress investigated in December. Incident logs confirmed the risk actor had gained an preliminary foothold within the sufferer surroundings through TeamViewer. A lot earlier, Kaspersky in 2020 reported on assaults it had noticed on industrial management system environments that concerned using distant entry applied sciences equivalent to RMS and TeamViewer for preliminary entry.
There have additionally been incidents previously — although fewer — of attackers utilizing TeamViewer as an entry vector in ransomware campaigns. In March 2016 for example, a number of organizations reported getting contaminated with a ransomware pressure referred to as “Shock” that researchers had been later capable of tieback to TeamViewer.
TeamViewer’s distant entry software program has been put in on some 2.5 billion gadgets for the reason that eponymously named firm launched in 2005. Final yr, the corporate described its software program as at the moment working on greater than 400 million gadgets, of which 30 million are linked to TeamViewer at any time. The software program’s huge footprint and its ease of use has made it a pretty goal for attackers, identical to different distant entry expertise.
Learn how to Use TeamViewer Securely
TeamViewer itself has carried out mechanisms to mitigate the chance of attackers misusing its software program to interrupt into methods. The corporate has claimed that the one means an attacker can entry a pc through TeamViewer is that if the attacker has the TeamViewer ID and related password.
“With out figuring out the ID and password, it’s not attainable for others to entry your pc,” the firm has famous, whereas itemizing measures that organizations can take to guard themselves towards misuse.
These embrace:
-
Exiting TeamViewer when the software program just isn’t in use;
-
Utilizing the software program’s Block and Permit checklist options to limit entry to particular people and gadgets;
-
Proscribing entry to sure options for incoming connections;
-
And denying connections from exterior the enterprise community.
The corporate has additionally pointed to TeamViewer’s assist for conditional entry insurance policies that enable directors to implement distant entry rights.
In a press release to Darkish Studying, TeamViewer mentioned that the majority situations of unauthorized entry contain a weakening of TeamViewer’s default safety settings.
“This typically contains using simply guessable passwords which is simply attainable by utilizing an outdated model of our product,” the assertion mentioned. “We continuously emphasize the significance of sustaining sturdy safety practices, equivalent to utilizing advanced passwords, two-factor-authentication, allow-lists, and common updates to the most recent software program variations.” The assertion included a hyperlink to finest practices for safe unattended entry from TeamViewer Help.