Where do hackers get credentials for penetration and is it possible to prevent it?
A recent report from Huntress revealed that cybercriminals are once again using TeamViewer, a legitimate remote access tool, to initially break into corporate devices and attempt to deploy cryptographers.
For the first time, the mass use of TeamViewer by attackers was observed in March 2016 when deploying the Surprise ransomware program. At the same time, TeamViewer representatives assured the public that unauthorized access was possible due to leaks of user credentials, and not a vulnerability in the remote access program itself.
"Because TeamViewer is a widely distributed piece of software, many online criminals attempt to log in to the target system using data from compromised accounts to find out if there is a TeamViewer account with the same credentials," the software vendor explained at the time.
Going back to the current malware campaign, it's safe to say that TeamViewer is once again in the hands of cybercriminals. In the attack chain reviewed by Huntress, attackers penetrated the target system using TeamViewer and tried to deploy a malicious payload using the batch file "PP.bat", which ran a malicious DLL file using the command rundll32.exe.
Although the attack considered by experts was not crowned with success, as it was repelled by antivirus software, the "bread crumbs" left by the attackers were enough to conduct an investigation.
Huntress could not determine exactly which known ransomware group these attacks belonged to, but noted similarities with the LockBit cryptographers created using the LockBit Black constructor that leaked in September 2022.
Although it is unclear exactly how hackers were able to gain control of TeamViewer instances this time, company representatives reminded that to protect against such attacks, it is fundamentally important to follow the basic principles of cybersecurity: use complex passwords, two-factor authentication, whitelists and do not forget about regular updates of the software used.
This is the only way to prevent unauthorized access and protect your company's networks from being compromised.
A recent report from Huntress revealed that cybercriminals are once again using TeamViewer, a legitimate remote access tool, to initially break into corporate devices and attempt to deploy cryptographers.
For the first time, the mass use of TeamViewer by attackers was observed in March 2016 when deploying the Surprise ransomware program. At the same time, TeamViewer representatives assured the public that unauthorized access was possible due to leaks of user credentials, and not a vulnerability in the remote access program itself.
"Because TeamViewer is a widely distributed piece of software, many online criminals attempt to log in to the target system using data from compromised accounts to find out if there is a TeamViewer account with the same credentials," the software vendor explained at the time.
Going back to the current malware campaign, it's safe to say that TeamViewer is once again in the hands of cybercriminals. In the attack chain reviewed by Huntress, attackers penetrated the target system using TeamViewer and tried to deploy a malicious payload using the batch file "PP.bat", which ran a malicious DLL file using the command rundll32.exe.
Although the attack considered by experts was not crowned with success, as it was repelled by antivirus software, the "bread crumbs" left by the attackers were enough to conduct an investigation.
Huntress could not determine exactly which known ransomware group these attacks belonged to, but noted similarities with the LockBit cryptographers created using the LockBit Black constructor that leaked in September 2022.
Although it is unclear exactly how hackers were able to gain control of TeamViewer instances this time, company representatives reminded that to protect against such attacks, it is fundamentally important to follow the basic principles of cybersecurity: use complex passwords, two-factor authentication, whitelists and do not forget about regular updates of the software used.
This is the only way to prevent unauthorized access and protect your company's networks from being compromised.
