Ransomware Actor Uses TeamViewer To Gain Initial Access to Networks

Attackers have increasingly leveraged the widely used remote access tool, installed on hundreds of millions of endpoints, to break into victim environments.

4 Min Read
TeamViewer logo in blue on black background
Alamy

This article originally appeared on Dark Reading.

TeamViewer is software that organizations have long used to enable remote support, collaboration, and access to endpoint devices. Like other legitimate remote access technologies, it is also something that attackers have used with relative frequency to gain initial access on target systems.

Two attempted ransomware deployment incidents that researchers at Huntress recently observed are the latest case in point.

Failed Ransomware Deployment Attempts

The attacks that Huntress flagged targeted two disparate endpoint devices belonging to Huntress customers. Both incidents involved failed attempts to install what appeared to be ransomware based on a leaked builder for LockBit 3.0 ransomware.

Further investigation showed the attackers had gained initial access to both endpoints via TeamViewer. The logs pointed to the attacks originating from an endpoint with the same hostname, indicating the same threat actor was behind both incidents. On one of the computers, the threat actor spent just over seven minutes after gaining initial access via TeamViewer, while on the other, the attacker's session lasted more than 10 minutes.

Huntress' report did not say how the attacker might have taken control of the TeamViewer instances in both cases. But Harlan Carvey, senior threat intelligence analyst at Huntress, says that some of the TeamViewer logins appear to be from legacy systems.

Related:Cybersecurity Trends and Predictions 2024 From Industry Insiders

"The logs provide no indication of logins for several months or weeks before the threat actor's access," he says. "In other instances, there are several legitimate logins, consistent with prior logins — username, workstation name, etc. — shortly before the threat actor's login."

Carvey says it is possible that the threat actor was able to purchase access from an initial access broker (IAB), and that the credentials and connection information may have been obtained from other endpoints through the use of infostealers, a keystroke logger, or some other means.

Previous TeamViewer Cyber Incidents

There have been several past incidents where attackers have used TeamViewer in similar fashion. One was a campaign last May by a threat actor looking to install the XMRig cryptomining software on systems after gaining initial access via the tool. Another involved a data exfiltration campaign that Huntress investigated in December. Incident logs showed the threat actor had gained an initial foothold in the victim environment via TeamViewer. Much earlier, Kaspersky in 2020 reported on attacks it had observed on industrial control system environments that involved the use of remote access technologies such as RMS and TeamViewer for initial access.

There have also been incidents in the past — though fewer — of attackers using TeamViewer as an access vector in ransomware campaigns. In March 2016 for instance, several organizations reported getting infected with a ransomware strain called "Surprise" that researchers were later able to tieback to TeamViewer.

TeamViewer's remote access software has been installed on some 2.5 billion devices since the eponymously named company launched in 2005. Last year, the company described its software as currently running on more than 400 million devices, of which 30 million are connected to TeamViewer at any time. The software's vast footprint and its ease of use has made it an attractive target for attackers, just like other remote access technology.

How To Use TeamViewer Securely

TeamViewer itself has implemented mechanisms to mitigate the risk of attackers misusing its software to break into systems. The company has claimed that the only way an attacker can access a computer via TeamViewer is if the attacker has the TeamViewer ID and associated password.

"Without knowing the ID and password, it is not possible for others to access your computer," the company has noted, while listing measures that organizations can take to protect themselves against misuse.

These include:

  • Exiting TeamViewer when the software is not in use;

  • Using the software's Block and Allow list features to restrict access to specific individuals and devices;

  • Restricting access to certain features for incoming connections;

  • And denying connections from outside the enterprise network.

The company has also pointed to TeamViewer's support for conditional access policies that allow administrators to enforce remote access rights.

In a statement to Dark Reading, TeamViewer said that most instances of unauthorized access involve a weakening of TeamViewer's default security settings.

"This often includes the use of easily guessable passwords which is only possible by using an outdated version of our product," the statement said. "We constantly emphasize the importance of maintaining strong security practices, such as using complex passwords, two-factor-authentication, allow-lists, and regular updates to the latest software versions." The statement included a link to best practices for secure unattended access from TeamViewer Support.

Read more about:

Dark Reading

About the Authors

Jai Vijayan

Contributing writer, Dark Reading

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a senior editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including big data, Hadoop, Internet of Things, e-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a master's degree in statistics and lives in Naperville, Illinois.

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like