Hackers are back to using TeamViewer to breach computers and deploy ransomware, a new report from cybersecurity researchers Huntress is saying.
TeamViewer is one of the most popular remote access and remote desktop management tools out there. It’s a legitimate piece of software broadly used in the enterprise world to allow users quick and seamless access to remote endpoints.
However, its popularity also means it is a popular target among hackers.
LockBit builder
Years ago, security experts warned that threat actors were targeting devices with TeamViewer to deploy ransomware. Back then, it was noted that TeamViewer itself was not vulnerable, and instead it was the users and their poor password hygiene that led to the attacks. By securing TeamViewer instances with easy-to-guess passwords, the victims allowed cybercriminals to access them via credential stuffing and brute-forcing.
Many people use the same username/password combination across multiple services. When one service gets breached, and the credentials leak, hackers can easily move into other services, too.
Now, Huntress is warning that some hackers are back to using this same attack vector. The researchers detailed two examples, both of which seem to have come from the same threat actor. While one endpoint was actively used by the company’s staff, the other one was left unattended for months, making it an ideal target for threat actors.
Luckily for the target companies, both attacks were unsuccessful - the first one was quickly contained, and the second one was prevented through antivirus software. That doesn’t mean the attackers were fully unsuccessful - other attempts, made elsewhere, might have been successful.
Huntress wasn’t able to identify the attackers, but claims the encryptors were similar to those created with the leaked LockBit Black builder.
The builder for LockBit 3.0 leaked more than a year ago, BleepingComputer reminds, after which two ransomware groups - Bl00dy and Buhti, used it to launch their own campaigns.
In a statement, TeamViewer said, "we take the security and integrity of our platform extremely seriously and unequivocally condemn any form of malicious use of our software.
Our analysis shows that most instances of unauthorized access involve a weakening of TeamViewer's default security settings. This often includes the use of easily guessable passwords which is only possible by using an outdated version of our product. We constantly emphasize the importance of maintaining strong security practices, such as using complex passwords, two-factor-authentication, allow-lists, and regular updates to the latest software versions. These steps are critical in safeguarding against unauthorized access."
"To further support our users in maintaining secure operations, we have published a set of best practices for secure unattended access, which can be found at [Best practices for secure unattended access - TeamViewer Support]. We strongly encourage all our users to follow these guidelines to enhance their security posture."
More from TechRadar Pro
- A key part of Foxconn has been hit by the Lockbit ransomware
- Here's a list of the best firewalls today
- These are the best endpoint protection services right now
