Organisations have long utilised TeamViewer software to provide remote aid, collaboration, and access to endpoint devices. Like other authorised remote access technologies, it is often employed by attackers to gain initial access to target systems.
The most recent example is the pair of attempted ransomware deployment incidents that Huntress researchers recently came across.
Unsuccessful ransomware deployment
The attacks that Huntress detected targeted two separate endpoint devices belonging to Huntress customers. Both incidents had failed attempts to install what seemed to be ransomware based on a leaked builder for LockBit 3.0 ransomware.
Further investigation revealed that TeamViewer was the initial point of access for the attackers to both endpoints. The logs showed that the same threat actor was responsible for both occurrences, as the attacks originated from an endpoint with the same hostname.
After initially gaining access via TeamViewer, the threat actor used one of the computers for roughly seven minutes, and on the other, the attacker's session lasted for over ten minutes.
How the attacker may have gained control of the TeamViewer instances in both incidents was not mentioned in Huntress' report. However, Huntress's senior threat intelligence analyst, Harlan Carvey, notes that a few of the TeamViewer logins seem to come from outdated systems.
"The logs provide no indication of logins for several months or weeks before the threat actor's access," Carvery states. "In other instances, there are several legitimate logins, consistent with prior logins — username, workstation name, etc. — shortly before the threat actor's login.”
Carvey believes that the threat actor may have been able to purchase access from an initial access broker (IAB) and that the credentials and connection information might have been stolen from other endpoints using a keyboard logger, infostealers, or other techniques.
There have been other past instances when attackers employed TeamViewer in a similar manner. One was a campaign launched last May by a threat actor who wanted to install the XMRig crypto mining software on systems after gaining initial access through the tool.
Another instance featured a data exfiltration campaign, which Huntress investigated in December. According to the incident logs, the threat actor established an initial foothold in the victim environment using TeamViewer. Much earlier, in 2020, Kaspersky reported on attacks against industrial control system setups that used remote access tools like RMS and TeamViewer for first access.