[German]The remote software vendor TeamViewer has fallen victim to a successful cyber attack. Unknown perpetrators (some says APT29) were able to infiltrate the internal IT environment and gain access to the network. However, the provider states that its product environment was not affected. There are also no signs that customer data has been compromised, TeamViewer writes.
Advertising
First rumors about the hack
I have received information or questions from several blog readers as to whether TeamViewer has been hacked. On Mastodon, Kevin Beaumont has linked to a post about the cyber incident. There it says:
"The NCC Group Global Threat Intelligence team has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group. Due to the widespread usage of this software the following alert is being circulated securely to our customers."
NCC Group can't disclose the source at the time and keep investigating this. Big source, but no substance. Curious to see how this will work out.
The NCC Group is an information security company headquartered in Manchester, United Kingdom. It only says that they became aware of a hack, but cannot disclose any information. A HEALTH-Isac source accuses APT29 (Cozy Bear) of being responsible for the hack. It says:
"On June 27, 2024, Health-ISAC received information from a trusted intelligence partner that APT29 is actively exploiting Teamviewer. Health-ISAC recommends reviewing logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools. Teamviewer has been observed being exploited by threat actors associated with APT29."
In short, the folks at Health-ISAC received information from a trusted intelligence partner that APT29 was actively exploiting Teamviewer (here I would have said that this is not an indication that APT29 is behind the hack).
The abbreviation APT29 or Cozy Bear is the name of a Russian state hacker group that is responsible for many attacks. APT29 is said to have links to the Russian Foreign Intelligence Service (SVR).
TeamViewer bestätigt den Hack
A cyberattack on TeamViewer's IT network has been confirmed by the company. The Team Viewer Trust Center states that the internal security team detected an anomaly in the company's internal IT environment on Wednesday, June 26, 2024. Details about the attacker or what was noticed are not disclosed in the following message:
TeamViewer IT security update
On Wednesday, 26 June 2024, our security team detected an irregularity in TeamViewer's internal corporate IT environment. We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts and implemented necessary remediation measures.
TeamViewer's internal corporate IT environment is completely independent from the product environment. There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems.
Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we value transparent communication and will continuously update the status of our investigations as new information becomes available.
The TeamViewer response team was immediately activated and the corresponding processes for emergency plans were initiated. Together with external IT security experts, TeamViewer IT staff began investigating the hack as soon as the incident became known. The necessary protective measures were also implemented.
Advertising
The company assures that TeamViewer's internal IT environment is completely independent of the product environment. To date, there are no indications that the TeamViewer product environment or customer data could have been affected. However, investigations are ongoing and the main focus of current efforts is to ensure the integrity of the systems.
On an extremely positive note, TeamViewer has been proactive in dealing with the incident and has placed great emphasis on transparent communication. The company intends to publish regular updates on the status of our investigations as new information becomes available. This differs fundamentally from the behavior of its competitor AnyDesk, which was hacked in December 2023 but kept this under wraps until I gradually disclosed the details here in the blog (see links at the end of the article).
Teamviewer Remote is a proprietary software for remote access, remote control and remote maintenance of computers and other end devices that was released in 2005 The company claims that its product is currently used by over 640,000 customers worldwide and has been installed on over 2.5 billion devices since its launch. In 2019, there was rumors, that TeamViewer had been hacked (I published the German article TeamViewer-Hack: Hatte APT41-Gruppe Zugriff auf Millionen Geräte?).
Update from June 28, 2024
Teamviewer has added an update to its information in the TeamViewer Trust Center Security Status Data Protection Protection against misuse Security on June 28, 2024; 12:10 CET. I am posting the text excerpt 1:1 below.
Security Update – June 28, 2024, 8:15 PM CEST
In collaboration with globally leading cyber security experts and relevant government authorities, our security teams continued their diligent investigation of the reported incident. Today's findings strengthened our assessment that the attack was contained within TeamViewer's internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data. We therefore reconfirm our previous statements.
Given our strong commitment to security, we take the threat very seriously. We will continue our thorough investigation over the next days to enrich the collected evidence further and exhaust all investigative options. We will continue to provide updates in our Trust Center as new information becomes available.
Security Update – June 28, 2024, 12:10 PM CEST
A comprehensive taskforce consisting of TeamViewer's security team together with globally leading cyber security experts has worked 24/7 on investigating the incident with all means available. We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.
Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data.
Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place. This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our 'defense in-depth' approach.
Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we commit to transparent communication to stakeholders. We will continue to update the status of our investigations in our Trust Center as new information becomes available. We expect to post the next update by end of today CEST.
In this addition, the above mention of Midnight Blizzard (is also an alternative name for APT29 or Cozy Bear) is confirmed by me. Interesting are the results of the investigation, which point to an attack on Wednesday, June 26, 2024, which was carried out with credentials of a standard employee account in the Teamviewer Corporate IT environment. Based on continuous security monitoring, the company's team detected suspicious behavior of the account and immediately took countermeasures. The investigation of the incident is currently being continued with an external incident response service provider. According to the current status of the investigation, the attack remained limited to TeamViewer's corporate IT environment, the company writes.
Articles:
AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1
AnyDesk hack undercover – more information and thoughts – Part 2
AnyDesk hack undercover – Suspicious cases and more – Part 3
AnyDesk hack undercover – Access data offered for sale – Part 4
AnyDesk hack – A review – Part 5
AnyDesk hack – Review of the German CERT BSI report – Part 6
AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7
AnyDesk hack – more details (FAQ from Feb. 5, 2024) – Part 8
AnyDesk hack already noticed on December 20, 2023? – Part 9
AnyDesk hack confirmed as of December 2023; old certificate recalled – Part 10
AnyDesk hack: Revoke chaos with old certificates? – Part 11
AnyDesk hack: Newly signed clients available; what are your experiences? – Part 12
Microsoft Defender blocks Anydesk clients (since 28 February 2024)
AnyDesk: They have signed the client with an old certificate (April 24, 2024)
Advertising
