In a recent surge of ransomware attacks, threat actors have once again turned to TeamViewer as a gateway to infiltrate organizational networks. TeamViewer, a legitimate remote access tool widely used in the enterprise sector for its simplicity and capabilities, is unfortunately being misused by scammers and ransomware actors.
Historical Context of Breaches
The misuse of TeamViewer in this context is not new; a similar case was reported back in March 2016 when victims confirmed that their devices were breached using TeamViewer to deploy the Surprise ransomware. At that time, TeamViewer attributed the unauthorized access to credential stuffing, where attackers exploited leaked credentials rather than exploiting a software vulnerability.
Current Landscape of Attacks
A recent report from cybersecurity firm Huntress reveals that cybercriminals are still employing these old techniques. The attackers gain access to devices via TeamViewer and attempt to deploy ransomware, leveraging the leaked LockBit ransomware builder. Huntress analyzed log files (connections_incoming.txt) and identified connections from the same source in multiple cases, suggesting a common attacker.
In one compromised endpoint, the logs indicated active use by employees for legitimate administrative tasks. In another endpoint, which had been running since 2018, the lack of recent activity made it a potentially more attractive target for attackers. In both cases, the attackers sought to deploy ransomware using a DOS batch file (PP.bat) on the desktop, executing a DLL file (payload) through a rundll32.exe command.
Ransomware Attack Outcomes
While the attack on the first endpoint was successful but contained, the antivirus product on the second endpoint thwarted the effort, leading to repeated unsuccessful payload execution attempts. Although the attacks cannot be definitively attributed to known ransomware gangs, similarities to LockBit encryptors created using a leaked LockBit Black builder are noted.
The leaked builder for LockBit 3.0 in 2022 allowed the creation of different encryptor versions, including an executable, a DLL, and an encrypted DLL requiring a password for proper launch. Huntress indicates that the attacks through TeamViewer seem to involve the use of the password-protected LockBit 3 DLL.
Company Response and Recommendations
Though specifics of how threat actors gain control of TeamViewer instances remain unclear, the company emphasizes its commitment to security. TeamViewer attributes most unauthorized access instances to weakened default security settings, often resulting from the use of easily guessable passwords and outdated software versions. The company urges users to adopt strong security practices, including complex passwords, two-factor authentication, allow-lists, and regular software updates.
In support of users, TeamViewer has published a set of best practices for secure unattended access, available on their support page. Users are strongly encouraged to follow these guidelines to enhance their security posture and mitigate the risk of unauthorized access.
Need Some Expert Help to Improve Your Cybersecurity?
Don’t let cybersecurity questions haunt your business. We can help you find and fix potential vulnerabilities. As well as creating a robust security posture that protects your business.
Visit our website, www.turnkeysol.com/resources/, for more educational resources, webinars, and white papers on cybersecurity and technology topics. Don’t forget to subscribe to our newsletter at turnkeysol.com/tks-newsletter/ for useful tips, tricks, and industry insights.
I know most people need help with this. We look forward to being of service to you and answering any questions.
If there’s anything we can do to help please let us know. Do you have a topic that you would like us to cover? Shoot us an email and let us know: stephanier@turnkeysol.com
Reach out to us ask@tks.la or call 225-751-4444 or visit our website at www.turnkeysol.com.