TeamViewer Attack Used In Targeted Campaign


Security researchers have uncovered a new targeted attack using the widely popular TeamViewer desktop sharing application aimed at political activists and government organizations.

The attacks, believed to be part of a nation-state driven cyberespionage campaign, was detected targeting individuals in Hungary, but security experts say it won't likely be long before the technique is used more broadly. The attack was detected and analyzed by researchers at the Laboratory of Cryptography and System Security (CrySyS) in Budapest and the Hungarian National Security Authority (NBF). Called "TeamSpy," the attack campaign uses a modified version of TeamViewer on a victim's machine.

"The attackers install an original, legitimate TeamViewer instance on the victim computer, but they modify its behavior with DLL hijacking, and they obtain remote access to the victim computers in real-time," wrote CrySyS in its analysis of the threat. "The collected evidences suggest that attacks have been carried out in multiple campaigns."

[Related: 5 Costly Hacker Attacks Plaguing Enterprises]

The application is signed with legitimate digital certificates, and the attackers dynamically patch TeamViewer in memory to remove all signs of its presence, according to Kaspersky Lab, which conducted its own analysis of the attack. The attack steals passwords, Apple iOS device history data from iTunes and detailed operating system and BIOS information. The attackers can also use keylogging to record keystrokes and capture screenshots, sending all the information to a remote command-and-control server.

Remote desktop protocol is a common way for targeted attackers to access and steal data from infected machines or access a remote server containing stolen data. Security firms documented attacks by financially motivated cybercriminals who used TeamViewer in 2010. In a recent report on attacks emanating from China, Alexandria, Va.-based security firm Mandiant documented nearly 2,000 RDP sessions using Microsoft's Remote Desktop client. Those attacks were believed to have stolen hundreds of terabytes of data from at least 141 organizations.

According to the CrySyS report, the TeamViewer attacks have been identified against individuals at an embassy in Russia, an industrial manufacturer in Russia, an electronics company in the Middle East, and multiple research and educational organizations in France and Belgium.

The attackers are installing an instance on the software on the victim's machine, CrySyS wrote in the report. Attacks using TeamViewer have been traced back to 2012 with forensics evidence that the attacker activities could go as far back as 2004, according to the report.

Kaspersky, in its analysis, wrote that organizations should scan for the presence of the "teamviewer.exe" application. Security vendors have also issued details about the known domains and IP addresses hosting the command-and-control server. "Implement a rigid patch-management plan throughout the organization," Kaspersky Lab wrote. "This operation includes the use of popular exploit kits that [target] known desktop software security vulnerabilities."

TeamViewer is based in Germany. A company spokesperson was unavailable for comment on Wednesday.

TeamViewer and other remote desktop applications that use the RDP protocol applications are being detected more often in attacks, said Wade Williamson, a security analyst at Santa Clara, Calif.-based network security vendor Palo Alto Networks. Network security vendors have looked at nearly two-dozen variants of RDP, including functionality in Apple, Chrome and other well-known remote sharing tools such as CrossLoop and LogMeIn, Williamson said.

"RDP by nature is pretty locked down, but it's dangerous because you often can't see inside," Williamson told CRN. "It's really important that you know who is using it and what is being used for this functionality."

IT teams using RDP for support need to ensure that only limited access is given to servers and endpoint systems. Managed security services providers also use RDP to administer systems.

"If you are going to be letting employees use RDP to work remotely, that is an ideal use case for two-factor authentication," Williamson said.

PUBLISHED MARCH 20, 2013