TeamViewer has disclosed that its corporate network was breached by an advanced persistent threat (APT) group on June 26.
The breach was discovered when TeamViewer’s security team detected an irregularity in its corporate environment, after which it immediately initiated incident response procedures, began an investigation, and implemented remedial measures.
TeamViewer advised it has no evidence to suggest that its production environment nor any customer data has been impacted by the breach. However, some cybersecurity researchers and Information Sharing and Analysis Centres (ISACs) have recommended that users review logs for unusual remote desktop activity due to the widespread use of TeamViewer and its long history of being exploited by various threat actors.
In 2016, TeamViewer was breached by China-based threat actors who successfully deployed the Winnti backdoor on TeamViewer’s network. TeamViewer didn’t disclose the breach until 2019, justifying the disclosure delay by saying no data had been stolen during the attack.
Source: Bleeping Computer
Analysis
On June 28, TeamViewer released a statement providing further information on the breach and the specific APT group behind it. TeamViewer confirmed that the hacking wing of Russia’s Foreign Intelligence Agency (SVR), known as APT 29 or Midnight Blizzard, used the credentials of an employee account to log in to its corporate network. TeamViewer’s security team observed suspicious behaviours associated with this account and immediately put incident response measures in place.
TeamViewer stated that it follows best-practice architecture and keeps all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments.
TeamViewer believes the breach was contained within its corporate IT environment as there is no evidence that APT 29 gained access to its production environment or customer data.
It’s not uncommon for threat actors to take advantage of individual instances of remote desktop software like TeamViewer to access targets of interest. This is usually done via brute-forcing or password guessing. However, the compromise of a remote desktop software provider itself could have a significantly larger impact.
In theory, a threat actor who manages to gain access to the production environment could use every instance of the remote desktop software as a backdoor. Fortunately, so far, this doesn’t appear to be the case.
Mitigation
Field Effect’s team of Security Intelligence professionals constantly monitors the cyber threat landscape for potential security concerns in software used by our clients. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of potential vulnerabilities.
Field Effect MDR users are automatically notified if vulnerable (or potentially vulnerable) software is detected in their environment, and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect will continue to monitor this incident and enhance our monitoring of TeamViewer software activity. At this time, we have not detected any abuse of TeamViewer associated with this breach.
Related Articles