Ransomware Actor Utilizes TeamViewer for Initial Network Access

 

"Ransomware Actor Utilizes TeamViewer for Initial Network Access"

Attackers have increasingly exploited the widely used remote access tool, TeamViewer, installed on hundreds of millions of endpoints, to infiltrate victim environments. TeamViewer, a software extensively utilized by organizations for remote support, collaboration, and endpoint device access, has, like other legitimate remote access technologies, become a target for attackers seeking initial access on target systems.

Recent incidents observed by researchers at Huntress underscore this trend. The attempted ransomware deployment incidents targeted two distinct endpoint devices owned by Huntress customers. In both cases, the attackers failed to install what appeared to be ransomware based on a leaked builder for LockBit 3.0 ransomware.

Upon further investigation, it was revealed that the attackers gained initial access to both endpoints through TeamViewer. The logs indicated that the attacks originated from an endpoint with the same hostname, suggesting the involvement of the same threat actor in both incidents. The threat actor spent just over seven minutes on one computer and more than 10 minutes on the other after gaining initial access via TeamViewer.

While the report from Huntress did not specify how the attacker took control of the TeamViewer instances in both cases, Harlan Carvey, senior threat intelligence analyst at Huntress, suggested that some of the TeamViewer logins appeared to be from legacy systems.

Carvey explained, "The logs provide no indication of logins for several months or weeks before the threat actor's access.

He further suggested the possibility that the threat actor might have purchased access from an initial access broker (IAB), obtaining credentials and connection information from other endpoints through the use of infostealers, a keystroke logger, or other means.

This incident adds to a series of previous instances where attackers utilized TeamViewer similarly. Past incidents included a campaign in May, where a threat actor sought to install the XMRig cryptomining software after gaining initial access via TeamViewer. Another involved a data exfiltration campaign investigated by Huntress in December, where the threat actor had gained an initial foothold through TeamViewer.

Despite being a remote access software installed on approximately 2.5 billion devices, with 400 million actively connected to TeamViewer at any given time, the tool's vast footprint and ease of use have made it an attractive target for attackers. TeamViewer has implemented measures to mitigate misuse, claiming that an attacker can only access a computer via TeamViewer with the TeamViewer ID and associated password.

 

spoofing meaningransomware meaningjonathan jamesimpact team ashley madisonlac meaning