Hackers are again using TeamViewer to penetrate computers and deploy ransomware, according to a new report from cybersecurity researchers Huntress.
TeamViewer is one of the most popular remote access and remote desktop management tools out there. It is a legitimate piece of software that is widely used in the corporate world to give users quick and seamless access to remote endpoints.
However, its popularity also means that it is a popular target among hackers.
LockBit builder
Years ago, security experts warned that threat actors were targeting devices running TeamViewer to deploy ransomware. At the time, it was noted that TeamViewer itself was not vulnerable, but it was the users and their poor password hygiene that led to the attacks. By securing TeamViewer instances with easy-to-guess passwords, victims gave cybercriminals access to them via credential stuffing and brute force.
Many people use the same username and password combination for multiple services. When a service is hacked and its credentials are leaked, hackers can easily move to other services as well.
Now Huntress warns that some hackers are using the same attack vector again. The researchers described two examples, both of which appear to come from the same threat actor. While one endpoint was actively used by company staff, the other remained unattended for months, making it an ideal target for threat actors.
Fortunately for the target companies, both attacks were unsuccessful: the first was quickly contained and the second was prevented by anti-virus software. That doesn’t mean the attackers were completely unsuccessful; other attempts, made elsewhere, might have been successful.
Huntress was unable to identify the attackers, but claims the encryptors were similar to those created with the leaked LockBit Black builder.
The builder for LockBit 3.0 leaked over a year ago, BleepingComputer recalls, after which two ransomware groups – Bl00dy and Buhti – used it to launch their own campaigns.
Ny Breaking has contacted TeamViewer for comment.