Hackers Abuse TeamViewer to Launch Ransomware Attacks
Hackers exploit TeamViewer because it gives far flung salvage entry to to techniques and permits possibility actors to manipulate them.
This would perhaps be extinct for several illicit purposes fancy unlawful records salvage entry to, plot manipulation, and virus distribution.
Apart from this, the usual use of TeamViewer makes it an even wanting goal for possibility actors who’re actively seeking to milk vulnerabilities and habits social engineering attacks.
Cybersecurity researchers at Huntress lately identified that possibility actors were actively abusing the TeamViewer to launch ransomware attacks.
Fastrack Compliance: The Direction to ZERO-Vulnerability
Compounding the downside are zero-day vulnerabilities fancy the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that salvage realized every month. Delays in fixing these vulnerabilities end result in compliance points, these lengthen might perhaps even be minimized with a particular function on AppTrana that allows you to salvage “Zero vulnerability file” inner 72 hours.
Hackers Abuse TeamViewer
The SOC analysts at Huntress lately alerted about 2 endpoints hit by ransomware with minimal affect, no possibility actor reconnaissance or lateral stream. On the opposite hand, safety software managed to forestall possibility actor’s actions.
TeamViewer enabled possibility actor salvage entry to to endpoints A and B. Logs demonstrate a total provide endpoint title connecting to every with timestamps for sessions:-
- A (7½ mins)
- B (10+ mins)
Past incidents eager TeamViewer for crypto miner deployment and curl.exe for records exfiltration.
In endpoint ‘A,’ legit admin accesses were illustrious, and endpoint ‘B,’ with the final TeamViewer login three months prior, saw the possibility actor’s salvage entry to in a 10-minute session.
For records exfiltration, the outdated incidents absorb linked TeamViewer to possibility actors deploying crypto miners and employing curl.exe.
The predominant ransomware distribution on every endpoints began with a DOS batch file, “PP.bat,” launched from the user’s desktop.
In flip, the above-mentioned batch file ran the following “rundll32.exe” express:-
- rundll32 C:CustomersuserDesktopLB3_Rundll32_pass.dll,gdll -journey <32-char password>
Endpoint A’s ransomware affect became once restricted fully to that endpoint. On B, safety software blocked the possibility actor, leading to multiple failed makes an attempt to encrypt data.
The log messages printed the quarantine of a DLL file that led to the possibility actor to form ineffective makes an attempt to launch yet any other file that became once within the ruin quarantined.
On the opposite hand, the predominant safety depends on monitoring sources by encompassing bodily and virtual endpoints and installed apps.
IOCs
- WIN-8GPEJ3VGB8U – possibility actor endpoint title, retrieved from TeamViewer connections_incoming.txt log
- LB3_Rundll32_pass.dll (from endpoint A) SHA256: 60ab8cec19fb2d1ab588d02a412e0fe7713ad89b8e9c6707c63526c7768fd362
Source credit : cybersecuritynews.com