{"id":2390,"date":"2024-01-19T21:30:00","date_gmt":"2024-01-19T21:30:00","guid":{"rendered":"https:\/\/www.darkreading.com\/endpoint-security\/ransomware-actor-teamviewer-initial-access-networks"},"modified":"2024-01-19T21:30:00","modified_gmt":"2024-01-19T21:30:00","slug":"ransomware-actor-uses-teamviewer-to-gain-initial-access-to-networks","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/19\/ransomware-actor-uses-teamviewer-to-gain-initial-access-to-networks\/","title":{"rendered":"Ransomware Actor Uses TeamViewer to Gain Initial Access to Networks"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

TeamViewer is software that organizations have long used to enable remote support, collaboration, and access to endpoint devices. Like other legitimate remote access technologies, it is also something that attackers have used with relative frequency to gain initial access on target systems.<\/span><\/p>\n

Two attempted ransomware deployment incidents that researchers at Huntress recently observed are the latest case in point.<\/span><\/p>\n

Failed Ransomware Deployment Attempts<\/span><\/h2>\n

The attacks that Huntress flagged targeted two disparate endpoint devices belonging to Huntress customers. Both incidents involved failed attempts to install what appeared to be ransomware based on a leaked builder for <\/span>LockBit 3.0 ransomware<\/a><\/span>.<\/span><\/p>\n

Further investigation showed the attackers had gained initial access to both endpoints via TeamViewer. The logs pointed to the attacks originating from an endpoint with the same hostname, indicating the same threat actor was behind both incidents. On one of the computers, the threat actor spent just over seven minutes after gaining initial access via TeamViewer, while on the other, the attacker’s session lasted more than 10 minutes.<\/span><\/p>\n

Huntress’ report did not say how the attacker might have taken control of the TeamViewer instances in both cases. But Harlan Carvey, senior threat intelligence analyst at Huntress, says that some of the TeamViewer logins appear to be from legacy systems.<\/span><\/p>\n

“The logs provide no indication of logins for several months or weeks before the threat actor’s access,” he says. “In other instances, there are several legitimate logins, consistent with prior logins \u2014 username, workstation name, etc. \u2014 shortly before the threat actor’s login.”<\/span><\/p>\n

Carvey says it is possible that the threat actor was able to <\/span>purchase access from an initial access broker (IAB),<\/a><\/span> and that the credentials and connection information may have been obtained from other endpoints through the use of infostealers, a keystroke logger, or some other means.<\/span><\/p>\n

Previous TeamViewer Cyber Incidents<\/span><\/h2>\n

There have been several past incidents where attackers have used TeamViewer in similar fashion. One was a campaign last May by a threat actor looking to install the <\/span>XMRig cryptomining software<\/a><\/span> on systems after gaining initial access via the tool. Another involved a <\/span>data exfiltration campaign<\/a><\/span> that Huntress investigated in December. Incident logs showed the threat actor had gained an initial foothold in the victim environment via TeamViewer. Much earlier, Kaspersky in 2020 reported on attacks it had observed on <\/span>industrial control system environments<\/a><\/span> that involved the use of remote access technologies such as RMS and TeamViewer for initial access.<\/span><\/p>\n

There have also been incidents in the past \u2014 though fewer \u2014 of attackers using TeamViewer as an access vector in ransomware campaigns. In March 2016 for instance, several organizations reported getting infected with a <\/span>ransomware strain called “Surprise”<\/a><\/span> that researchers were later able to tieback to TeamViewer.<\/span><\/p>\n

TeamViewer’s remote access software has been installed on some 2.5 billion devices since the eponymously named company launched in 2005. Last year, the company described its software as currently <\/span>running on more than 400 million devices<\/a><\/span>, of which 30 million are connected to TeamViewer at any time. The software’s vast footprint and its ease of use has made it an attractive target for attackers, just like other remote access technology.<\/span><\/p>\n

How to Use TeamViewer Securely<\/span><\/h2>\n

TeamViewer itself has implemented mechanisms to mitigate the risk of attackers misusing its software to break into systems. The company has claimed that the only way an attacker can access a computer via TeamViewer is if the attacker has the TeamViewer ID and associated password.<\/span><\/p>\n

“Without knowing the ID and password, it is not possible for others to access your computer,” the <\/span>company has noted,<\/a><\/span> while listing measures that organizations can take to protect themselves against misuse.<\/span><\/p>\n

These include:<\/span><\/p>\n

\n