TeamViewer’s corporate network breached by suspected APT hack

Remote access software company TeamViewer is warning that its corporate environment was hacked in a cyberattack yesterday, with a cybersecurity firm claiming it was an APT hacking group.

“On Wednesday, June 26, 2024, our security team detected an irregularity in TeamViewer’s internal IT environment,” TeamViewer said in a message posted to its Trust Center.

“We immediately activated our response team and procedures, launched investigations with a world-renowned team of cybersecurity experts, and implemented the necessary corrective measures.”

“TeamViewer’s internal IT environment is completely independent of the product environment. There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to guarantee the integrity of our systems.”

The company says it plans to be transparent about the breach and will continually update the status of its investigation as new information becomes available.

However, despite claiming to want to be transparent, the “TeamViewer Security Update” page contains a HTML tag, which prevents the document from being indexed by search engines and therefore difficult to find.

TeamViewer is a very popular remote access software that allows users to remotely control a computer and use it as if they were sitting in front of the device. The company says its product is currently used by more than 640,000 customers worldwide and has been installed on more than 2.5 billion devices since its launch.

Although TeamViewer claims that there is no evidence that its product environment or customer data has been breached, its massive use in consumer and enterprise environments makes any breach a major concern as it would provide full access to internal networks.

In 2019, TeamViewer confirmed a 2016 breach linked to Chinese bad actors due to their use of the Winnti backdoor. The company said it did not disclose the breach at the time because no data was stolen in the attack.

A suspected APT group is behind the attack

News of the breach was first reported on Mastodon by IT security professional Jeffrey, who shared excerpts from an alert shared on the Dutch Digital Trust Center, a web portal used by government, experts in security and Dutch companies to share information on cybersecurity threats.

“NCC Group’s Global Threat Intelligence team has been informed of a significant compromise of the TeamViewer remote access and support platform by an APT group,” warns an alert from IT security company NCC Group.

“Due to the widespread use of this software, the following alert is securely distributed to our customers. »

An alert from Health-ISAC, a community for healthcare professionals to share threat intelligence, also warned today that TeamViewer services are being actively targeted by Russian hacking group APT29, also known as Cozy Bear, NOBELIUM, and Midnight Blizzard.

“On June 27, 2024, Health-ISAC received information from a trusted intelligence partner that APT29 is actively exploiting Teamviewer,” reads the Health-ISAC alert shared by Jeffrey.

“Health-ISAC recommends checking logs for unusual traffic on remote desktops. Malicious actors have been observed exploiting remote access tools. Teamviewer has been observed to be exploited by malicious actors associated with APT29. »

APT29 is a Russian advanced persistent threat group linked to the Russian Foreign Intelligence Service (SVR). The hacking group is known for its cyber espionage capabilities and has been linked to numerous attacks over the years, including attacks on Western diplomats and a recent breach of Microsoft’s corporate email environment.

While the alerts from both companies come today, just as TeamViewer disclosed the incident, it is unclear whether they are related as the TeamViewer and NCC alerts address the corporate breach, while the Health-ISAC alert focuses more on targeting TeamViewer connections.

NCC Group told BleepingComputer they had nothing further to add when contacted for more information.

“As part of our threat intelligence service to our customers, we regularly issue alerts based on various sources and intelligence,” NCC Group told BleepingComputer.

“At this time, we have nothing to add to the alert that was sent to our customers.”

BleepingComputer also contacted TeamViewer with questions about the attack, but was told no further information would be shared while they investigated the incident.

Updated 06/27/24: Added a statement from the NCC group.

News Source :
Gn tech

Back to top button