"TeamViewer Exploited in Recent Ransomware Attacks to Breach Networks" |
Ransomware actors are once again resorting to
the use of TeamViewer to gain initial access to organizational endpoints,
attempting to deploy encryptors based on the leaked LockBit ransomware builder.
TeamViewer, a legitimate and widely-used remote access tool in
the enterprise world, is valued for its simplicity and capabilities.
Unfortunately, scammers and ransomware actors also find it valuable for
unauthorized access to remote desktops, dropping and executing malicious files
without hindrance. A similar incident was first reported in March 2016 when
victims confirmed in the Bleeping Computer forums that TeamViewer was used to
encrypt files with the Surprise ransomware.
During that time, TeamViewer attributed the unauthorized access
to credential stuffing, where attackers used leaked credentials rather than
exploiting a zero-day vulnerability in the software.
A recent report from Huntress reveals that cybercriminals
continue to employ these old techniques, taking over devices via TeamViewer in
attempts to deploy ransomware. Log files analyzed by Huntress showed
connections from the same source in both cases, indicating a common attacker.
In the first compromised endpoint, Huntress observed multiple
accesses by employees in the logs, suggesting legitimate administrative use of
the software. In contrast, the second endpoint, which has been operational
since 2018, showed no activity in the logs for the past three months, making it
potentially more attractive to attackers.
In both cases, the attackers tried to deploy the ransomware
payload using a DOS batch file (PP.bat) on the desktop, executing a DLL file
(payload) via a rundll32.exe command. The attack on the first endpoint
succeeded but was contained, while on the second, the antivirus product halted
the effort, leading to repeated unsuccessful payload execution attempts.
While Huntress couldn't definitively attribute the attacks to
any known ransomware gangs, they noted similarities to LockBit encryptors
created with a leaked LockBit Black builder. In 2022, the builder for LockBit
3.0 was leaked, prompting various gangs to launch their campaigns using the
builder.
Based on Indicators of Compromise (IOCs) provided by Huntress,
the TeamViewer attacks seem to involve the password-protected LockBit 3 DLL.
Though the specific sample seen by Huntress couldn't be located,
a different sample detected as LockBit Black was found on VirusTotal last week.
This sample, not using the standard LockBit 3.0 ransomware note, suggests it
was created by another ransomware gang utilizing the leaked builder.
While the method of threat actors taking
control of TeamViewer instances remains unclear, the company issued a statement
to BleepingComputer about the attacks and securing installations.
The articles here are both insightful and well written.
ReplyDeleteYour writing style is captivating – I couldn't stop reading!
ReplyDeleteThe gamification elements are a fun way to keep users engaged. I enjoy the challenges!
ReplyDeleteEvery post is a journey. Your storytelling is captivating! 📖👏
ReplyDelete