TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware

/in


The cybersecurity researchers at Huntress have issued a warning about a recent surge in cyber attacks, highlighting a new strategy employed by cybercriminals who are exploiting TeamViewer to deploy LockBit ransomware.

TeamViewer has a history of being exploited in large-scale cyber attacks. Recently, once again, cybersecurity experts have observed a surprising surge in cybercriminals’ attempts to exploit TeamViewer, a trusted remote access tool, to deploy LockBit ransomware, potentially exposing users to data encryption and extortion demands.

Researchers claim attackers exploit vulnerabilities in TeamViewer to gain initial access to victim devices and then deploy the aggressive LockBit ransomware, which encrypts critical files and demands substantial ransom payments for decryption.

Although infections were either contained or averted, no ransomware operation has been officially associated with the intrusions. The payload resembled LockBit ransomware encryptors. It is worth noting that in 2022, the ransomware builder for LockBit 3.0 was leaked, allowing the Bl00dy and Buhti gangs to launch their campaigns.

For your information, TeamViewer is a popular remote access tool in the enterprise world. Unfortunately, it has been exploited by scammers and ransomware actors to access remote desktops and execute malicious files for years. In March 2016, numerous victims reported their devices being breached via TeamViewer and attempts made to encrypt files with the Surprise ransomware.

Back then, TeamViewer’s unauthorized access was attributed to credential stuffing, where attackers used users’ leaked credentials instead of exploiting a zero-day vulnerability.

The software vendor explained that online criminals often log on with compromised accounts to find corresponding accounts with the same credentials, potentially allowing them to access all assigned devices for malware or ransomware installation.

The latest analysis from Huntress SOC analysts reveals that cybercriminals continue to use old techniques, abusing TeamViewer to take over devices and deploy ransomware. In one of the instances, as observed by Huntress, a single threat actor used TeamViewer to…

Source…