In a concerning development, cybercriminals are once again leveraging the widely-used remote access tool, TeamViewer, to breach organizational networks and attempt ransomware deployments. The legitimate tool, known for its simplicity and broad enterprise usage, has unfortunately become a favored entry point for scammers and ransomware actors.
This tactic is not entirely new, as a similar case was reported in March 2016 when victims confirmed their devices were breached using TeamViewer to deploy the Surprise ransomware. TeamViewer attributed the unauthorized access to credential stuffing, where attackers exploited leaked user credentials rather than exploiting software vulnerabilities.
A recent report from cybersecurity firm Huntress reveals that cybercriminals are persisting with these tactics, infiltrating devices via TeamViewer to initiate ransomware attacks. The analysis of log files indicated connections from the same source in both cases, suggesting a common attacker.
In one compromised endpoint, Huntress observed multiple legitimate accesses by employees, indicating active use of TeamViewer for administrative tasks. In the second endpoint, which had been running since 2018, a lack of recent activity in the logs made it a potentially more attractive target for attackers.
In both instances, cybercriminals attempted to deploy ransomware using a DOS batch file (PP.bat) that executed a DLL file (payload) via a rundll32.exe command. While the attack on the first endpoint was successful but contained, the antivirus product on the second endpoint thwarted the efforts, leading to repeated payload execution attempts with no success.
Although Huntress could not definitively attribute the attacks to known ransomware gangs, similarities to LockBit encryptors created with a leaked LockBit Black builder were noted. In 2022, the builder for LockBit 3.0 was leaked, enabling various versions of the encryptor, including an executable, a DLL, and an encrypted DLL requiring a password for proper launch.
While the specific sample seen by Huntress was not found, a different sample detected as LockBit Black was identified on VirusTotal last week, indicating that various ransomware groups may be utilizing the leaked builder.
The method by which threat actors gain control of TeamViewer instances remains unclear. However, organizations are urged to enhance their security measures to mitigate the risk associated with such attacks. TeamViewer emphasizes the importance of securing installations to protect against unauthorized access and potential exploitation by cybercriminals.
To delve deeper into this topic, please read the full article on Bleeping computer