TeamViewer says “a compromised employee account” led to a Russian breach. While the company makes reassuring noises about its segmented network, it also said the tool was installed on more than 2.5 billion devices.
And that’s a worry, despite the calming PR. In today’s SB Blogwatch, we wonder why TeamViewer didn’t enforce MFA for employees (see also: Snowflake, Okta, Uber, etc., etc.)
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: MalwareTech explains.
What’s the craic? Lawrence Abrams reports: TeamViewer’s corporate network was breached in alleged APT hack
“Russia’s Foreign Intelligence Service”
Remote access software company TeamViewer is warning that its corporate environment was breached. … While TeamViewer states there is no evidence that its product environment or customer data has been breached, its massive use in both consumer and corporate environments makes any breach a significant concern. … TeamViewer is a very popular remote access software that allows users to remotely control a computer and use it as if they were sitting in front of the device.
…
TeamViewer is now attributing the attack to … APT29, also known as Cozy Bear, NOBELIUM, and Midnight Blizzard, [a] group linked to Russia’s Foreign Intelligence Service (SVR). … In 2019, TeamViewer confirmed a 2016 breach linked to Chinese threat actors.
APT29? Jonathan Greig reminds us: Russia’s ‘Cozy Bear’ hackers
“The Kremlin”
The group, allegedly housed within Russia’s Foreign Intelligence Service (SVR), has been implicated in several of the most consequential hacks of the last decade — including the 2020 SolarWinds hack and the 2016 attack on the Democratic National Committee. … A spokesperson for [TeamViewer] did not respond to several questions about what systems or data were accessed by APT29.
…
On Thursday, … several organizations began warning customers and members about APT29’s attack on TeamViewer. Cybersecurity firm NCC Group and a healthcare industry cybersecurity coalition both released private alerts raising alarms about the breach. … APT29’s focus is obtaining intelligence that helps the Kremlin make strategic decisions, … targeting data that provides insight into foreign affairs. … Microsoft has begun notifying more organizations that their emails and other information was accessed as part of APT29’s attack.
Horse’s mouth? TeamViewer’s PR soothers: TeamViewer IT security update
“Compromised employee account”
Our security team detected an irregularity in TeamViewer’s internal corporate IT environment. … There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing.
…
According to current findings the threat actor leveraged a compromised employee account to copy employee directory data—i.e., names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment. … We hardened authentication procedures for our employees to a maximum level.
Ah, throwing an employee under the bus again? Shades of LastPass, suggests ilrwbwrkhv:
I wonder how much of this is because the software talent which joins TeamViewer or LastPass is of really poor quality. I mean, is there any good engineer who actually wants to work for these companies?
Ouch. But it’s far from the first such issue at TeamViewer, notes cosmodrome:
Teamviewer has been moving from security hole to security hole for years. But this time they’re not to blame because “the Russians did it.”
Funny how all the usual suspects all have turned from jerks who don’t want to reduce their profits by selling well-tested and secure products when they can just leave their customers with the damage and walk away into concerned victims of “state-sponsored” supervillains, “nation backed” “APT” and other invincible attackers. … But even if it really were the Rrrussians gasp, TeamViewer … still are to blame because they ****ing let them in!
Is TeamViewer inherently dangerous? Yes, says Midnight_Falcon:
Remote Management or “RMM” tools are one of the biggest security risks facing US companies right now. IT Departments and small-to-large IT companies roll them out, giving the software persistent full system or admin access on every workstation.
The software is often made by companies that are smallish and don’t have much of a security operation, or larger and have been en****tified through acquisition—SolarWinds anyone? RMM software should require user interaction to start a session and then either uninstall itself or revoke all its permissions until next time.
Or switch products. But to what? Here’s KentGeek’s experience:
I dumped TeamViewer a few months ago in favor of Google Remote Desktop. It satisfies my occasional low bar requirements, and doesn’t make me feel guilty for using it without pay. I connect between iPad, Windows, Linux, a couple of times a month. Easiest thing I’ve found so far.
What’s this about making you feel guilty? The Dogs Meevonks barks disapprovingly:
They turned into a really ****** company that tried to force people into paying hundreds for their ‘free, non commercial’ license. … I used them to support my elderly mum and my sister, both of whom were at least a 40-60 min drive away. They pulled the same old **** that every remote desktop company pulls after they get a little too big for their boots: ‘We think you’re a commercial user and you must pay.’
…
So a few weeks ago, I switched to RustDesk, which is an open source solution and does everything I need for free, forever and you [don’t] have to rely on some ******** corp who lies through their teeth to try and con people out of money.
That’s not ideal. bobbutts, agrees:
Spammy jerks. Left them years ago. Maybe they should have considered working on security instead of making their free product useless and accusing me of using it commercially over and over again when accessing my own PC for personal use.
Meanwhile, this Anonymous Coward darns TeamViewer to heck:
Oh noes! The software designed for use by scammers got hacked? TeamViewer should rot in the hot place.
Marcus “MalwareTech” Hutchins explains economics
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Tim Reckmann (cc:by; leveled and cropped)
Recent Articles By Author