The cybersecurity researchers at Huntress have issued a warning about a recent surge in cyber attacks, highlighting a new strategy employed by cybercriminals who are exploiting TeamViewer to deploy LockBit ransomware.
TeamViewer has a history of being exploited in large-scale cyber attacks. Recently, once again, cybersecurity experts have observed a surprising surge in cybercriminals’ attempts to exploit TeamViewer, a trusted remote access tool, to deploy LockBit ransomware, potentially exposing users to data encryption and extortion demands.
Researchers claim attackers exploit vulnerabilities in TeamViewer to gain initial access to victim devices and then deploy the aggressive LockBit ransomware, which encrypts critical files and demands substantial ransom payments for decryption.
Although infections were either contained or averted, no ransomware operation has been officially associated with the intrusions. The payload resembled LockBit ransomware encryptors. It is worth noting that in 2022, the ransomware builder for LockBit 3.0 was leaked, allowing the Bl00dy and Buhti gangs to launch their campaigns.
For your information, TeamViewer is a popular remote access tool in the enterprise world. Unfortunately, it has been exploited by scammers and ransomware actors to access remote desktops and execute malicious files for years. In March 2016, numerous victims reported their devices being breached via TeamViewer and attempts made to encrypt files with the Surprise ransomware.
Back then, TeamViewer’s unauthorized access was attributed to credential stuffing, where attackers used users’ leaked credentials instead of exploiting a zero-day vulnerability.
The software vendor explained that online criminals often log on with compromised accounts to find corresponding accounts with the same credentials, potentially allowing them to access all assigned devices for malware or ransomware installation.
The latest analysis from Huntress SOC analysts reveals that cybercriminals continue to use old techniques, abusing TeamViewer to take over devices and deploy ransomware. In one of the instances, as observed by Huntress, a single threat actor used TeamViewer to compromise two endpoints by deploying a DOS batch file on the desktop, and executing a DLL payload.
In both cases, Huntress researchers observed similarities, hinting that a common attacker could be responsible. Huntress observed multiple employee accesses to the first compromised endpoint, indicating that it was used for legitimate administrative tasks. The second endpoint, running since 2018, had no activity in logs for three months, indicating that it is less monitored and potentially more attractive to attackers.
“An investigation into each endpoint illustrated that initial access to each endpoint was achieved via TeamViewer. The final entry from the TeamViewer connections_incoming.txt log file showed the threat actor’s access to each endpoint.”
Huntress
TeamViewer attributes unauthorized access cases to issues in the tool’s default security settings. The attacks appear to be using the password-protected LockBit 3 DLL. However, Bleeping Computer identified a different sample uploaded to VirusTotal that was detected as LockBit Black but it wasn’t using the standard LockBit 3.0 ransomware note, suggesting another ransomware gang’s involvement in creating the builder.
Reports suggest attackers have not launched a widespread campaign yet, which means there is potential for expansion. To protect yourself, update TeamViewer software, enable two-factor authentication, be wary of suspicious connections, and invest in vital cybersecurity solutions like antivirus, anti-malware, and endpoint detection and response (EDR) tools to detect and prevent potential threats.
For insight into the latest development, we reached out to Xage Security’s CEO Geoffrey Mattson who shared the following statement regarding the exploitation of TeamViewer:
“This attack underscores a growing trend in cyber threats, wherein cyber adversaries exploit vulnerabilities in legacy security and virtualization software and steer away from traditional targets like browsers and endpoints. Notably, VPNs, Firewalls, VDIs, and Remote Access Tools have become prime vectors for multi-stage attacks, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to issue new advisories, such as “Protecting Against Malicious Use of Remote Monitoring and Management Software.”
“The vulnerability is compounded by another challenge – TeamViewer is often installed as “shadow IT” by employees looking for easier access solutions than the official option at their company,” said Geoffrey. “That means the security and IT teams may not even know about the existence of TeamViewer in their environment, and thus won’t know that they’re exposed to this attack vector. The complexity of existing enterprise remote access solutions leads employees to create security risks. Ease-of-use is a security issue,” he warned.
RELATED ARTICLES
- TeamViewer was Targeted by Chinese Hackers in 2016
- Employee PC hacked via TeamViewer in water supply poisoning
- TeamViewer Vulnerability Lets Attackers Take Full Control of PCs
- Fake TeamViewer download ads distributing new ZLoader variant
- Hackers targeting embassies with trojanized version of TeamViewer