Ransomware actors are once more utilizing TeamViewer to achieve preliminary entry to group endpoints and try and deploy encryptors primarily based on the leaked LockBit ransomware builder.
TeamViewer is a professional distant entry software used extensively within the enterprise world, valued for its simplicity and capabilities.
Sadly, the software can be cherished by scammers and even ransomware actors, who use it to achieve entry to distant desktops, dropping and executing malicious recordsdata unhindered.
The same case was first reported in March 2016, when quite a few victims confirmed within the BleepingComputer boards that their gadgets had been breached utilizing TeamViewer to encrypt recordsdata with the Shock ransomware.
On the time, TeamViewer’s rationalization for the unauthorized entry was credential stuffing, that means the attackers didn’t exploit a zero-day vulnerability within the software program however as an alternative used customers’ leaked credentials.
“As TeamViewer is a extensively unfold software program, many on-line criminals try to go online with the info of compromised accounts, so as to discover out whether or not there’s a corresponding TeamViewer account with the identical credentials,” defined the software program vendor on the time.
“If that is so, likelihood is they will entry all assigned gadgets, so as to set up malware or ransomware.”
TeamViewer focused once more
A brand new report from Huntress reveals that cybercriminals have not deserted these outdated methods, nonetheless taking on gadgets by way of TeamViewer to try to deploy ransomware.
The analyzed log recordsdata (connections_incoming.txt) confirmed connections from the identical supply in each instances, indicating a standard attacker.
Within the first compromised endpoint, Huntress noticed within the logs a number of accesses by workers, indicating the software program was actively utilized by the workers for professional administrative duties.
Within the second endpoint seen by Huntress, which has been operating since 2018, there had been no exercise within the logs for the previous three months, indicating that it was much less continuously monitored, presumably making it extra enticing for the attackers.
In each instances, the attackers tried to deploy the ransomware payload utilizing a DOS batch file (PP.bat) positioned on the desktop, which executed a DLL file (payload) by way of a rundll32.exe command.
Supply: BleepingComputer
The assault on the primary endpoint succeeded however was contained. On the second, the antivirus product stopped the trouble, forcing repeated payload execution makes an attempt with no success.
Whereas Huntress hasn’t been in a position to attribute the assaults with certainty to any recognized ransomware gangs, they be aware that it’s just like LockBit encryptors created utilizing a leaked LockBit Black builder.
In 2022, the ransomware builder for LockBit 3.0 was leaked, with the Bl00dy and Buhti gangs rapidly launching their very own campaigns utilizing the builder.
The leaked builder permits you to create completely different variations of the encryptor, together with an executable, a DLL, and an encrypted DLL that requires a password to launch correctly.
Supply: BleepingComputer
Primarily based on the IOCs supplied by Huntress, the assaults by means of TeamViewer seem like utilizing the password-protected LockBit 3 DLL.
Whereas BleepingComputer couldn’t discover the particular pattern seen by Huntress, we discovered a completely different pattern uploaded to VirusTotal final week.
This pattern is detected as LockBit Black however doesn’t use the usual LockBit 3.0 ransomware be aware, indicating it was created by one other ransomware gang utilizing the leaked builder.
Supply: BleepingComputer
Whereas it’s unclear how the menace actors are actually taking management of TeamViewer cases, the corporate shared the next assertion with BleepingComputer concerning the assaults and on securing installations.
“At TeamViewer, we take the safety and integrity of our platform extraordinarily significantly and unequivocally condemn any type of malicious use of our software program.
Our evaluation reveals that the majority cases of unauthorized entry contain a weakening of TeamViewer’s default safety settings. This typically consists of using simply guessable passwords which is barely doable by utilizing an outdated model of our product. We consistently emphasize the significance of sustaining sturdy safety practices, equivalent to utilizing advanced passwords, two-factor-authentication, allow-lists, and common updates to the most recent software program variations. These steps are important in safeguarding towards unauthorized entry.
To additional assist our customers in sustaining safe operations, we now have printed a set of greatest practices for safe unattended entry, which may be discovered at [Best practices for secure unattended access – TeamViewer Support]. We strongly encourage all our customers to observe these pointers to boost their safety posture.”
