TeamViewer Compromise

by | Jul 1, 2024 | News, Security

TeamViewer is a common piece for software that allows IT businesses to remotely access, control, manage, monitor, and repair devices – from laptops and mobile phones to industrial machines and robots. Many software vendors include it to allow them to remotely support their software for their clients.

Word is coming out quickly that TeamViewer has found an “irregularity” on their internal networks yesterday.

Their claim is that their product remains safe, however, Trend Micro has been tracking unusual connections, including from TeamViewer instances protected by strong passwords and MFA, for at least a month. This story is developing quickly and we are watching it closely.

Please note that TeamViewer is not in the Kinetics KARE Tech stack.

We don’t install it as part of our support platform, BUT it is included by some software vendors for their technical support of their customers. We are working through a list of all clients to make sure protections are in place.

This attack is suspected to have come from the APT29 group. This is a group associated with Russian Foreign Intelligence Service and has been able to breach Microsoft in recent history.

It shows even large security focused companies are vulnerable to the basics, as well as the need to reduce exposure and only use/install these very powerful tools when there is a clear need for them.

Update: 11:00am 1 July 2024

A few hours ago, Teamviewer have released further information that looks like the immediate risk to other systems is low at this stage.  They say that “the threat actor leveraged a compromised employee account”

 The compromised systems: “copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords”

This sounds like they got into Teamviewers AD, this is pretty bad, and means the ongoing risk for them and their customers is certainly non-zero

 The remediation actions they are taking are: “We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state.”

We think this is the right path, and a major undertaking for them. It gives us confidence that, at this time, there is no need at this time, for any drastic action by clients using this software.  

Our advice is  that if Teamviewer is required, or is part of a managed product, like OneLaw, then its fine to leave it installed.  Otherwise, if it is not required, it shouldn’t be installed. Where it is installed, MFA and strong authentication should be enforced.

In fact, learning from this, we bet TeamViewer wish they had enforced MFA onm all their users.  EVERYONE NEEDS MFA ON EVERYTHING