TeamViewer Exploited in Recent Ransomware Attacks to Breach Networks

"TeamViewer Exploited in Recent Ransomware Attacks to Breach Networks"

Ransomware actors are once again resorting to the use of TeamViewer to gain initial access to organizational endpoints, attempting to deploy encryptors based on the leaked LockBit ransomware builder.
TeamViewer, a legitimate and widely-used remote access tool in the enterprise world, is valued for its simplicity and capabilities. Unfortunately, scammers and ransomware actors also find it valuable for unauthorized access to remote desktops, dropping and executing malicious files without hindrance. A similar incident was first reported in March 2016 when victims confirmed in the Bleeping Computer forums that TeamViewer was used to encrypt files with the Surprise ransomware.
During that time, TeamViewer attributed the unauthorized access to credential stuffing, where attackers used leaked credentials rather than exploiting a zero-day vulnerability in the software.
A recent report from Huntress reveals that cybercriminals continue to employ these old techniques, taking over devices via TeamViewer in attempts to deploy ransomware. Log files analyzed by Huntress showed connections from the same source in both cases, indicating a common attacker.
In the first compromised endpoint, Huntress observed multiple accesses by employees in the logs, suggesting legitimate administrative use of the software. In contrast, the second endpoint, which has been operational since 2018, showed no activity in the logs for the past three months, making it potentially more attractive to attackers.
In both cases, the attackers tried to deploy the ransomware payload using a DOS batch file (PP.bat) on the desktop, executing a DLL file (payload) via a rundll32.exe command. The attack on the first endpoint succeeded but was contained, while on the second, the antivirus product halted the effort, leading to repeated unsuccessful payload execution attempts.
While Huntress couldn't definitively attribute the attacks to any known ransomware gangs, they noted similarities to LockBit encryptors created with a leaked LockBit Black builder. In 2022, the builder for LockBit 3.0 was leaked, prompting various gangs to launch their campaigns using the builder.
Based on Indicators of Compromise (IOCs) provided by Huntress, the TeamViewer attacks seem to involve the password-protected LockBit 3 DLL.
Though the specific sample seen by Huntress couldn't be located, a different sample detected as LockBit Black was found on VirusTotal last week. This sample, not using the standard LockBit 3.0 ransomware note, suggests it was created by another ransomware gang utilizing the leaked builder.
While the method of threat actors taking control of TeamViewer instances remains unclear, the company issued a statement to BleepingComputer about the attacks and securing installations.

 

spoofing meaningransomware meaningjonathan jamesimpact team ashley madisonlac meaning