close
close

‘Russia’ Breaches TeamViewer – ‘No Evidence’ Billions of Devices at Risk

Posted on by darion

Remote access service fell victim to APT29 attack, TeamViewer claims.

TeamViewer says ’employee account compromised’ led to hack in Russia While the company is quiet about its network segmentation, it also claims that the tool has been installed on over 2.5 billion devices.

And this is cause for concern, despite the reassuring PR. In today’s SB Blogwatch, we wonder why TeamViewer hasn’t enforced multi-factor authentication (MFA) for employees (see also: Snowflake, Okta, Uber, etc., etc.)

Your humble blogwatcher has selected these blog snippets for your entertainment. Not to mention: MalwareTech Explains.

SolarWinds hackers strike again

What’s going on? Lawrence Abrams reports: TeamViewer’s corporate network was compromised in an alleged APT hack

Russian Foreign Intelligence Service
Remote access software company TeamViewer is warning that its corporate environment has been breached. … Although TeamViewer says there is no evidence that its product environment or customer data has been compromised, its massive use in both consumer and corporate environments makes any breach a serious concern. … TeamViewer is a widely popular remote access software that allows users to remotely control and use a computer as if they were sitting in front of the device.

TeamViewer is now attributing the attack to… APT29, also known as Cozy Bear, NOBELIUM, and Midnight Blizzard, (a) to a group affiliated with the Russian Foreign Intelligence Service (SVR). … In 2019, TeamViewer confirmed a 2016 breach linked to Chinese threat actors.

APT29? Jonathan Greig Reminds Us: Russian Hackers ‘Cozy Bear’

Kremlin
The group, allegedly operating within Russia’s Foreign Intelligence Service (SVR), has been involved in several of the most significant hacks of the past decade — including the SolarWinds hack in 2020 and the attack on the Democratic National Committee in 2016. … A spokesperson (TeamViewer) did not respond to several questions about what systems or data APT29 accessed.

On Thursday … several organizations began warning customers and members about the APT29 attack on TeamViewer. Cybersecurity firm NCC Group and the Healthcare Industry Cybersecurity Coalition have issued private alerts sounding the alarm about the breach. … APT29 focuses on acquiring intelligence that helps the Kremlin make strategic decisions, … targeting data that provides insight into foreign affairs. … Microsoft has begun notifying more organizations that their emails and other information have been used as part of the APT29 attack.

Horse’s muzzle? TeamViewer PR Reassurances: TeamViewer IT Security Update

Hacking into an employee's account
Our security team has detected an anomaly in TeamViewer’s internal IT environment. … There is no evidence to suggest that this impacts the product environment or customer data. Investigations are ongoing.

According to current findings, the perpetrator of the threat used the compromised employee account to copy data from the employee directory, i.e. names, company contact details and encrypted employee passwords, to our internal IT environment. … We have strengthened authentication procedures for our employees as much as possible.

Are you throwing an employee under the bus again? Shades of LastPass, suggested by ilrwbwrkhv:

I wonder how much of this is due to the fact that the development talent that joins TeamViewer or LastPass is really poor quality. I mean, is there any good engineer who really wants to work for these companies?

Ouch. However, Kosmodrom notes that this is not the first such problem in TeamViewer:

Teamviewer has gone from vulnerability to security vulnerability over the years. But this time they are not to blame because “the Russians did it.”

Funny how all the usual suspects have changed from jerks who don’t want to limit their profits by selling well-tested and safe products when they could just leave their customers with the damage and move on to become concerned victims of “state-sponsored” supervillains, “people-backed” “APTs” and other unstoppable attackers. …But even if they really were Rrrans gaspTeamViewer…they are still at fault because, fuck, they let them in!

Is TeamViewer actually dangerous? Yes, Midnight_Falcon says:

Remote management tools, or “RMMs,” are one of the biggest security threats U.S. businesses face today. IT departments and small and large IT companies implement them, providing the software with constant full system or administrator access on each workstation.

Software is often created by companies that are small and don’t have much operational security, or larger and have been legalized through acquisition – SolarWinds anyone? RMM software should require user interaction to start a session and then uninstall itself or revoke all its permissions until the next time.

Or change products. But for what? Here are KentGeek’s experiences:

A few months ago I abandoned TeamViewer in favor of Google Remote Desktop. It meets my occasional low bar needs and doesn’t make me feel guilty for using it without compensation. Several times a month I connect between iPad, Windows, Linux. Easiest thing I’ve found so far.

What is it that you feel guilty about? The Dogs Meevonks barks disapprovingly:

They have truly become a ****** company that tried to force people to pay hundreds for their “free, non-commercial” license. …I used them to support my elderly mother and sister who lived at least a 40-60 minute drive from me. They pulled the same old **** that every remote desktop company does when they go a little overboard: “We think you’re a commercial user and you have to pay.”

A few weeks ago I switched to RustDesk, which is open source and does everything I need for free, forever, and I don’t have to rely on some corporation that lies through their teeth and tries to scam people out of money.

This is not an ideal situation. Bobbutts, that’s right:

Spam idiots. He left them many years ago. Maybe they should have considered working on security instead of rendering their free product useless and accusing me of repeatedly exploiting it commercially while accessing my own computer for personal use.

Meanwhile, This Anonymous Coward Curses TeamViewer:

Oh no! Software intended for use by fraudsters has been hacked? TeamViewer should rot in the hot spot.

And finally:

Marcus “MalwareTech” Hutchins explains the economics

Previously in And finally

Have you read?SB Blogwatch by Richi Jennings. Richi curates the best blog bits, the best forums, and the weirdest websites — so you don’t have to. Hate mail can be directed to@RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Don’t look at the laser with your remaining eye. E&OE. thirty.

Image sauce: Tim Reckmann (cc:by; aligned and cropped)

The author’s latest articles