TeamViewer Leveraged for Access in Ransomware Attacks

Ransomware operators have been observed leveraging remote access tool TeamViewer by way of exposed or brute-forced credentials to compromise networks and deploy payloads developed with the LockBit builder.

‍

"As TeamViewer is a widely spread software, many online criminals attempt to log on with the data of compromised accounts, in order to find out whether there is a corresponding TeamViewer account with the same credentials," Bleeping Computer Reports.

‍

“Our analysis shows that most instances of unauthorized access involve a weakening of TeamViewer's default security settings. This often includes the use of easily guessable passwords which is only possible by using an outdated version of our product.”

‍

Takeaway: Abusing Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) are some of the more common tactics used by ransomware operators to move laterally and vertically in a compromised network.  

‍

TeamViewer is basically similar to an RDP but uses its own protocol.  

‍

RDP exploits are used to remotely execute malicious code like malware and attack kits, or by executing scripts in fileless attacks, or when abusing legitimate network tools in what is known as living-off-the-land.  

‍

Access to RDP and VPN or similar instances is usually accomplished by way of stolen or brute-forced user credentials.  

‍

In this case there was no vulnerability exploitation in TeamViewer itself, as the attackers used the credential stuffing technique abusing compromised user credentials.  

‍

To defend against attacks that target RDP or similar instances, teams should practice good hygiene, use strong authentication and MFA, limit non-essential user permissions, enable account lockouts at authentication, and consider using dedicated gateways.  

‍

This attack highlights the fact that there is a lot of detectable network activity prior to the ransomware payload being delivered.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.