News: 1719601244

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

TeamViewer says Russia broke into its corp IT network

(2024/06/28)


TeamViewer says it was Russian intelligence that broke into its systems this week.

Yesterday, the remote-desktop software maker [1]said it detected an "irregularity" within its corporate IT network on Wednesday without adding much more detail.

Now [2]it says , with the help of outside cybersecurity investigators, it reckons Russia's Cozy Bear cyber-spies, aka APT29 and Midnight Blizzard, sneaked into its network using a worker's login. This confirms earlier whispering in the infosec industry that not only did a nation state crew slip into TeamViewer but that it was the infamous Cozy Bear.

[3]

"Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our corporate IT environment," TeamViewer said in its latest statement.

[4]

[5]

"Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action.

"Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard."

[6]

That's the same Kremlin unit that [7]hit the US Democratic National Committee in the 2010s, and more recently [8]compromised Microsoft's computer network and stole internal emails and files from its executives and staff, among other targets. It's the same crew that pulled off [9]the SolarWinds backdoor and has been [10]raiding cloud accounts . It's on a tear.

According to TeamViewer, its encounter with the Russians was limited to its non-production systems, which is the biz's way of asking people not to panic and assume the snoops will definitely be able to get into their PCs via TeamViewer.

"Based on current findings of the investigation, the attack was contained within the corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data," the developer said.

[11]Russia's cyber spies still threatening French national security, democracy

[12]Russia's Cozy Bear caught phishing German politicos with phony dinner invites

[13]Microsoft confirms Russian spies stole source code, accessed internal systems

[14]Near-undetectable malware linked to Russia's Cozy Bear

TeamViewer went on to briefly describe its network setup, again to reassure punters:

Following best-practice architecture, we have a strong segregation of the corporate IT, the production environment, and the TeamViewer connectivity platform in place.

This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach.

And just as we were preparing this story for press, the German outfit told us its ongoing probe into the snafu has "strengthened our assessment that the attack was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data. We therefore reconfirm our previous statements."

We're promised more updates from the biz.

[15]

TeamViewer says it has more than 600,000 customers, who use its software and web app to remotely control and manage Windows PCs and other machines. It would be a huge coup for Russia if it were able to compromise something like TeamViewer to the extent it could gain follow-up access to organizations' computers around the world – and terrible news for the rest of us.

We can see why TeamViewer is a fantastic target for the Kremlin. ®

Speaking of Microsoft and APT29

The Windows giant [16]has told more of its customers that emails they exchanged with the corporation were accessed by Cozy Bear when those spies raided Redmond's inboxes, Bloomberg reported Thursday.

“This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor,” a Microsoft spokesperson said.

Get our [17]Tech Resources



[1] https://www.theregister.com/2024/06/28/teamviewer_network_breach/

[2] https://www.teamviewer.com/en/resources/trust-center/statement/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zn8yf1VhB2GIoh7Q36tmvQAAAFM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zn8yf1VhB2GIoh7Q36tmvQAAAFM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zn8yf1VhB2GIoh7Q36tmvQAAAFM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zn8yf1VhB2GIoh7Q36tmvQAAAFM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2019/10/17/apt29_still_active_eset_dukes_cozy_bear/

[8] https://www.theregister.com/2024/01/27/microsoft_cozy_bear_mfa/

[9] https://www.theregister.com/2021/04/15/solarwinds_hack_russia_apt29_positive_technologies_sanctions/

[10] https://www.theregister.com/2024/02/27/russia_cozy_bear_new_ttps/

[11] https://www.theregister.com/2024/06/20/russias_cyber_attacks_france_report/

[12] https://www.theregister.com/2024/03/23/russia_cozy_bear_german_politicians_phishing/

[13] https://www.theregister.com/2024/03/08/microsoft_confirms_russian_spies_stole/

[14] https://www.theregister.com/2022/07/06/brc4_state_sponsored_apt29/

[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zn8yf1VhB2GIoh7Q36tmvQAAAFM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[16] https://www.bnnbloomberg.ca/microsoft-tells-some-clients-that-russian-hackers-viewed-emails-1.2090525

[17] https://whitepapers.theregister.com/



Heart attack material

Khaptain

This is an extremely stressful situation for anyone that uses TeamViewer in a professional context as it's one of those tools that allow you to connect with full admin rights to a server/users machine when required.

On a daily basis it's a tool which allows you to gain a plexitude (an exposant of multitude) of time when dealing with offsite serveurs/users and nothing, absolutely nothing, is more important than ensuring that security is absolute.

If they have been hacked we have to consider the potential that we can be also hacked, with full admin rights according to the case, and the alternatives are not in the plenty.

We have 2FA activated and have changed our passwords but we are in doubt, serious doubt about continuing..

If someone can offer a better solution, ( please don't suggest SSH as an alternative, SSH has it's place but not for all occasions), we are all ears.

Another war ... must it always be so? How many comrades have we lost
in this way? ... Obedience. Duty. Death, and more death ...
-- Romulan Commander, "Balance of Terror", stardate 1709.2