Cybercriminals appear to be currently exploiting the widely used remote access software TeamViewer to gain unauthorized access to remote computer systems and encrypt them with ransomware. This was reported by Bleeping Computer, citing a blog post from Huntress, detailing two specific attack incidents.
In both cases, initial access was made through TeamViewer from the same source point, as explained by security researchers at Huntress. This suggests that the same threat actor was responsible for these access attempts. Evidence of this was found by the researchers in a log file named connections_incoming.txt generated by the remote access tool.
Indications of Lockbit 3.0 Deployment The ransomware execution occurred through a batch file named PP.bat placed on the desktops of the compromised systems. While the attack on the first system seems to have been successful but limited to that system, on the second system, security software prevented the encryption of data despite multiple attempts by the attacker to execute the ransomware.
The specific ransomware used is not disclosed by the Huntress researchers. However, according to Bleeping Computer, indications from the researchers suggest that the malware was based on Lockbit 3.0. A ransomware builder for Lockbit 3.0 was released as early as 2022, and since then, various hacker groups have been utilizing this ransomware developed by the Lockbit gang.
Insecure Passwords as a Possible Entry Point It remains unclear how exactly the attacker managed to take control of the respective TeamViewer instances. The manufacturer of the remote support software told Bleeping Computer that most cases of unauthorized access are due to loosened default security settings of TeamViewer, including the use of insecure passwords, which is only possible in outdated versions of the software.
Indeed, there have been cases in the past where attackers utilized access credentials obtained from known data breaches to take over TeamViewer accounts and infiltrate associated devices. Additionally, trojanized versions of the remote support tool have been circulated to take over remote systems. Therefore, the recent attacks do not necessarily imply a vulnerability in TeamViewer.
The developer of the software recommends users to protect their systems by using complex passwords and two-factor authentication, regularly updating the tool, and restricting access to connected machines through the Allowlist feature. An article detailing best practices for secure unattended access via TeamViewer is available on the provider’s website.