Hackers are back to using TeamViewer to breach computers and deploy ransomware, a new report from cybersecurity researchers Huntress is saying.
TeamViewer is one of the most popular remote access and remote desktop management tools out there. It’s a legitimate piece of software broadly used in the enterprise world to allow users quick and seamless access to remote endpoints.
However, its popularity also means it is a popular target among hackers.
LockBit builder
Years ago, security experts warned that threat actors were targeting devices with TeamViewer to deploy ransomware. Back then, it was noted that TeamViewer itself was not vulnerable, and instead it was the users and their poor password hygiene that led to the attacks. By securing TeamViewer instances with easy-to-guess passwords, the victims allowed cybercriminals to access them via credential stuffing and brute-forcing.
Many people use the same username/password combination across multiple services. When one service gets breached, and the credentials leak, hackers can easily move into other services, too.
Now, Huntress is warning that some hackers are back to using this same attack vector. The researchers detailed two examples, both of which seem to have come from the same threat actor. While one endpoint was actively used by the company’s staff, the other one was left unattended for months, making it an ideal target for threat actors.
Luckily for the target companies, both attacks were unsuccessful - the first one was quickly contained, and the second one was prevented through antivirus software. That doesn’t mean the attackers were fully unsuccessful - other attempts, made elsewhere, might have been successful.
Huntress wasn’t able to identify the attackers, but claims the encryptors were similar to those created with the leaked LockBit Black builder.
The builder for LockBit 3.0 leaked more than a year ago, BleepingComputer reminds, after which two ransomware groups - Bl00dy and Buhti, used it to launch their own campaigns.
TechRadar Pro has contacted TeamViewer for comment.
More from TechRadar Pro
- A key part of Foxconn has been hit by the Lockbit ransomware
- Here's a list of the best firewalls today
- These are the best endpoint protection services right now