In a concerning turn of events, cybercriminals are revisiting a familiar strategy by exploiting TeamViewer, a widely used remote access tool, to gain unauthorized access to organizational endpoints. Their primary objective? Deploying encryptors based on the notorious LockBit ransomware builder. Despite previous incidents, this method has resurfaced, revealing a persistent threat that demands heightened cybersecurity measures.
TeamViewer, known for its simplicity and extensive use in the enterprise world, is unfortunately becoming a tool of choice for malicious actors. The recent incident echoes a similar case in March 2016 when the Surprise ransomware infiltrated devices using TeamViewer. The explanation then was credential stuffing, highlighting the importance of securing leaked credentials to thwart unauthorized access.
The Huntress Report:
A recent report from Huntress sheds light on the ongoing exploitation of TeamViewer by cybercriminals. The analysis of log files revealed connections from a common source, indicating a shared attacker. Interestingly, the attackers attempted to deploy ransomware using a DOS batch file (PP.bat), executing a DLL file (payload) via rundll32.exe command.
Success and Containment:
The first compromised endpoint fell victim to the attack, but quick containment measures prevented further damage. In the second case, an antivirus product thwarted the effort, highlighting the critical role of robust security solutions. The analysis also noted similarities to LockBit encryptors, particularly those created using the leaked LockBit Black builder.
LockBit 3.0 Builder Leak:
The year 2022 witnessed the leak of the ransomware builder for LockBit 3.0, with several gangs swiftly launching campaigns. The leaked builder enables the creation of various encryptor versions, including executables, DLLs, and encrypted DLLs requiring a password for proper launch.
LockBit 3 DLL in Action:
Huntress’ Indicators of Compromise (IOCs) point to the use of the password-protected LockBit 3 DLL in the TeamViewer attacks. While the specific sample seen by Huntress remains elusive, another sample, detected as LockBit Black, surfaced on VirusTotal, indicating multiple ransomware gangs utilizing the leaked builder.
TeamViewer’s Response:
The method by which threat actors are seizing control of TeamViewer instances remains unclear. However, TeamViewer shared a statement emphasizing their commitment to addressing these attacks and securing installations. As organizations grapple with evolving cyber threats, vigilance and proactive cybersecurity measures are paramount.
The resurgence of TeamViewer-based attacks underscores the adaptability of cybercriminals. Organizations must prioritize cybersecurity awareness, implement robust protective measures, and stay informed about emerging threats to safeguard their digital assets from evolving ransomware tactics. As the landscape continues to evolve, collaboration between cybersecurity experts and organizations is essential to stay one step ahead of the adversaries.