"Ransomware Actor Utilizes TeamViewer for Initial Network Access" |
Attackers have increasingly exploited the
widely used remote access tool, TeamViewer, installed on hundreds of millions
of endpoints, to infiltrate victim environments. TeamViewer, a software
extensively utilized by organizations for remote support, collaboration, and
endpoint device access, has, like other legitimate remote access technologies,
become a target for attackers seeking initial access on target systems.
Recent incidents observed by researchers at Huntress underscore
this trend. The attempted ransomware deployment incidents targeted two distinct
endpoint devices owned by Huntress customers. In both cases, the attackers
failed to install what appeared to be ransomware based on a leaked builder for
LockBit 3.0 ransomware.
Upon further investigation, it was revealed that the attackers
gained initial access to both endpoints through TeamViewer. The logs indicated
that the attacks originated from an endpoint with the same hostname, suggesting
the involvement of the same threat actor in both incidents. The threat actor
spent just over seven minutes on one computer and more than 10 minutes on the
other after gaining initial access via TeamViewer.
While the report from Huntress did not specify how the attacker
took control of the TeamViewer instances in both cases, Harlan Carvey, senior
threat intelligence analyst at Huntress, suggested that some of the TeamViewer
logins appeared to be from legacy systems.
Carvey explained, "The logs provide no indication of logins
for several months or weeks before the threat actor's access.
He further suggested the possibility that the threat actor might
have purchased access from an initial access broker (IAB), obtaining
credentials and connection information from other endpoints through the use of
infostealers, a keystroke logger, or other means.
This incident adds to a series of previous instances where
attackers utilized TeamViewer similarly. Past incidents included a campaign in
May, where a threat actor sought to install the XMRig cryptomining software
after gaining initial access via TeamViewer. Another involved a data
exfiltration campaign investigated by Huntress in December, where the threat
actor had gained an initial foothold through TeamViewer.
Despite being a remote access software
installed on approximately 2.5 billion devices, with 400 million actively
connected to TeamViewer at any given time, the tool's vast footprint and ease
of use have made it an attractive target for attackers. TeamViewer has
implemented measures to mitigate misuse, claiming that an attacker can only
access a computer via TeamViewer with the TeamViewer ID and associated
password.
Content is king, and this site delivers!
ReplyDelete"I'm impressed by the breadth of information presented here. Whether you're a beginner or well-versed, this article caters to all levels of understanding. Very well-rounded.
ReplyDelete