Ransomware Actors Target TeamViewer Once Again to Deploy Encryptors

Following a new report from cybersecurity firm Huntress, it has been revealed that cybercriminals are still utilizing TeamViewer, a legitimate remote access tool, to gain unauthorized access to organization endpoints and deploy ransomware. The attackers exploit the simplicity and extensive use of TeamViewer in the enterprise world to drop and execute malicious files undetected.

This is not the first time TeamViewer has been misused by attackers. In 2016, victims reported that their devices were breached using TeamViewer to encrypt files with the Surprise ransomware. TeamViewer attributed these unauthorized access incidents to credential stuffing, where attackers used leaked login credentials to gain access.

The recent Huntress report highlighted two cases where cybercriminals attempted to deploy ransomware using TeamViewer. In the first compromised endpoint, the attackers successfully executed a ransomware payload, but it was contained. In the second case, the antivirus product intervened, preventing the attack from being successful.

Although the Huntress report could not definitively attribute the attacks to any known ransomware groups, similarities were found with LockBit encryptors created using a leaked LockBit Black builder. LockBit 3.0 ransomware builder was leaked in 2022, leading to several ransomware campaigns by different gangs.

The attacks analyzed by Huntress seemed to rely on the use of a password-protected LockBit 3 DLL. While the specific sample seen by Huntress could not be found, a different sample detected as LockBit Black was discovered on VirusTotal.

It is still unclear how threat actors are gaining control of TeamViewer instances, but the company emphasizes the importance of maintaining strong security practices. TeamViewer advises users to use complex passwords, enable two-factor authentication, implement allow-lists, and regularly update to the latest software versions to enhance security.

The misuse of tools like TeamViewer highlights the ongoing challenge of securing remote access solutions. Organizations must remain vigilant in implementing robust security measures and regularly updating their systems to defend against such attacks and protect sensitive data from ransomware threats.

FAQ:

1. What has the recent report from Huntress revealed?
The recent report from cybersecurity firm Huntress reveals that cybercriminals are still using TeamViewer, a legitimate remote access tool, to gain unauthorized access to organization endpoints and deploy ransomware.

2. How are attackers exploiting TeamViewer?
Attackers are exploiting the simplicity and extensive use of TeamViewer in the enterprise world to drop and execute malicious files undetected.

3. Has TeamViewer been misused by attackers before?
Yes, in 2016, victims reported that their devices were breached using TeamViewer to encrypt files with the Surprise ransomware. TeamViewer attributed these incidents to credential stuffing, where attackers used leaked login credentials to gain access.

4. Are there any specific cases mentioned in the report?
Yes, the Huntress report highlighted two cases where cybercriminals attempted to deploy ransomware using TeamViewer. In one case, the ransomware payload was successfully executed but contained, while in the second case, the antivirus product prevented the attack from being successful.

5. Are these attacks attributed to any known ransomware groups?
The report could not definitively attribute the attacks to any known ransomware groups, but similarities were found with LockBit encryptors created using a leaked LockBit Black builder.

6. How are threat actors gaining control of TeamViewer instances?
It is still unclear how threat actors are gaining control of TeamViewer instances.

7. What security practices does TeamViewer recommend?
TeamViewer advises users to use complex passwords, enable two-factor authentication, implement allow-lists, and regularly update to the latest software versions to enhance security.

8. Why is securing remote access solutions a challenge?
The misuse of tools like TeamViewer highlights the ongoing challenge of securing remote access solutions. Cybersecurity measures must be robustly implemented and regularly updated to defend against such attacks and protect sensitive data from ransomware threats.

Definitions:

1. Ransomware: A type of malware that encrypts files or locks a computer system, demanding a ransom payment in exchange for restoring access to the encrypted data or system.
2. Remote access tool: A software application that allows a user to access and control a computer or network remotely over an internet connection.
3. Credential stuffing: A cyber attack method in which attackers use leaked or stolen login credentials, such as usernames and passwords, to gain unauthorized access to user accounts.
4. Endpoint: A device, such as a computer or smartphone, that connects to a network and is a potential access point for cyber attacks.

Suggested Related Links:

1. TeamViewer Official Website
2. Ransomware Cycle – Huntress Blog
3. Remote Desktop Apps Enter Ransomware-as-a-Service Chain – Cybersecurity Insiders