TeamViewer is software program that organizations have lengthy used to allow distant assist, collaboration, and entry to endpoint gadgets. Like different respectable distant entry applied sciences, it’s also one thing that attackers have used with relative frequency to achieve preliminary entry on course techniques.
Two tried ransomware deployment incidents that researchers at Huntress just lately noticed are the most recent working example.
Failed Ransomware Deployment Makes an attempt
The assaults that Huntress flagged focused two disparate endpoint gadgets belonging to Huntress prospects. Each incidents concerned failed makes an attempt to put in what gave the impression to be ransomware based mostly on a leaked builder for LockBit 3.0 ransomware.
Additional investigation confirmed the attackers had gained preliminary entry to each endpoints through TeamViewer. The logs pointed to the assaults originating from an endpoint with the identical hostname, indicating the identical risk actor was behind each incidents. On one of many computer systems, the risk actor spent simply over seven minutes after gaining preliminary entry through TeamViewer, whereas on the opposite, the attacker’s session lasted greater than 10 minutes.
Huntress’ report didn’t say how the attacker might need taken management of the TeamViewer cases in each circumstances. However Harlan Carvey, senior risk intelligence analyst at Huntress, says that a number of the TeamViewer logins look like from legacy techniques.
“The logs present no indication of logins for a number of months or weeks earlier than the risk actor’s entry,” he says. “In different cases, there are a number of respectable logins, in step with prior logins — username, workstation title, and so forth. — shortly earlier than the risk actor’s login.”
Carvey says it’s doable that the risk actor was in a position to buy entry from an preliminary entry dealer (IAB), and that the credentials and connection data could have been obtained from different endpoints by way of using infostealers, a keystroke logger, or another means.
Earlier TeamViewer Cyber Incidents
There have been a number of previous incidents the place attackers have used TeamViewer in comparable style. One was a marketing campaign final Might by a risk actor seeking to set up the XMRig cryptomining software program on techniques after gaining preliminary entry through the software. One other concerned a knowledge exfiltration marketing campaign that Huntress investigated in December. Incident logs confirmed the risk actor had gained an preliminary foothold within the sufferer atmosphere through TeamViewer. A lot earlier, Kaspersky in 2020 reported on assaults it had noticed on industrial management system environments that concerned using distant entry applied sciences comparable to RMS and TeamViewer for preliminary entry.
There have additionally been incidents up to now — although fewer — of attackers utilizing TeamViewer as an entry vector in ransomware campaigns. In March 2016 for example, a number of organizations reported getting contaminated with a ransomware pressure known as “Shock” that researchers had been later in a position to tieback to TeamViewer.
TeamViewer’s distant entry software program has been put in on some 2.5 billion gadgets for the reason that eponymously named firm launched in 2005. Final 12 months, the corporate described its software program as at present operating on greater than 400 million gadgets, of which 30 million are related to TeamViewer at any time. The software program’s huge footprint and its ease of use has made it a gorgeous goal for attackers, similar to different distant entry know-how.
The best way to Use TeamViewer Securely
TeamViewer itself has carried out mechanisms to mitigate the danger of attackers misusing its software program to interrupt into techniques. The corporate has claimed that the one manner an attacker can entry a pc through TeamViewer is that if the attacker has the TeamViewer ID and related password.
“With out figuring out the ID and password, it’s not doable for others to entry your laptop,” the firm has famous, whereas itemizing measures that organizations can take to guard themselves in opposition to misuse.
These embody:
-
Exiting TeamViewer when the software program just isn’t in use;
-
Utilizing the software program’s Block and Enable listing options to limit entry to particular people and gadgets;
-
Limiting entry to sure options for incoming connections;
-
And denying connections from outdoors the enterprise community.
The corporate has additionally pointed to TeamViewer’s assist for conditional entry insurance policies that enable directors to implement distant entry rights.
In an announcement to Darkish Studying, TeamViewer stated that almost all cases of unauthorized entry contain a weakening of TeamViewer’s default safety settings.
“This typically contains using simply guessable passwords which is barely doable through the use of an outdated model of our product,” the assertion stated. “We always emphasize the significance of sustaining sturdy safety practices, comparable to utilizing advanced passwords, two-factor-authentication, allow-lists, and common updates to the most recent software program variations.” The assertion included a hyperlink to finest practices for safe unattended entry from TeamViewer Help.
