On Thursday, TeamViewer announced that on June 26, 2024, it discovered an “irregularity” in its internal corporate IT environment.
“We immediately activated our response team and procedures, began an investigation with a team of world-renowned cybersecurity experts, and implemented the necessary remedial measures,” the company said in a statement. said in the statement.
It also noted that its corporate IT environment is completely cut off from the product environment and that there is no evidence that any customer data was affected by the incident.
He did not reveal any details about who may have been behind the intrusion or how they were able to carry it out, but said the investigation is ongoing and that it will provide status updates as new information becomes available.
Based in Germany, TeamViewer is a maker of remote monitoring and management (RMM) software that enables managed service providers (MSPs) and IT departments to manage servers, workstations, network devices and endpoints. It is used more than 600,000 customers.
Interestingly, the Health Information Sharing and Analysis Center (Health-ISAC) has issued a bulletin about the active use of TeamViewer by threat actors, according to the American Hospital Association (AHA).
“Threat actors have been observed using remote access tools,” the non-profit said said. “Teamviewer has been observed to be used by threat actors associated with APT29.”
It is unclear at this time whether this means attackers are abusing vulnerabilities in TeamViewer to break into customer networks, using poor security techniques to infiltrate targets and deploy software, or whether they have launched an attack on TeamViewer’s own systems.
APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard and The Dukes, is a state-sponsored threat actor associated with the Foreign Intelligence Service of Russia (SVR). It was recently linked to violations Microsoft and Hewlett Packard Enterprise (HPE).
Microsoft has since discovered that APT29 was also accessing some customer mailboxes following a breach that came to light earlier this year, according to reports Bloomberg and Reuters.
“This week, we are continuing to notify customers who corresponded with Microsoft corporate email accounts that were compromised by the Midnight Blizzard threat actor,” the news agency quoted the tech giant as saying.
The attack is officially attributed to APT29
TeamViewer, in an update on Friday attributed the attack to APT29, saying it targeted credentials associated with an employee account in a corporate IT environment.
“Based on ongoing security monitoring, our teams identified suspicious behavior by this account and immediately took incident response measures,” the revised alert said. “There is no evidence that a threat actor gained access to our product environment or customer data.”
NCC Group, which first warned of the breach through limited disclosure due to widespread use of the software, is recommended removing the software “until more details are known about the type of compromise TeamViewer has been subjected to.”
Threat actors target a compromised employee account
In an updated advisory published on June 30, TeamViewer confirmed that the breach did not affect the product environment, the TeamViewer connection platform or any customer data, saying it was working to rebuild its internal corporate IT environment to make it more secure.
“According to current findings, a threat actor used a compromised employee account to copy employee directory data, ie. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment,” it said. said. “We have informed our staff and the relevant authorities.”
TeamViewer, which works with Microsoft on incident response measures, said the risk associated with encrypted passwords contained in the directory has been reduced. It also said that it has strengthened the authentication procedure for its employees to the maximum level and implemented additional robust layers of protection.
“APT29 is one of the most sophisticated participants we track, and they target technology companies of all sizes,” said John Hultquist, principal analyst at Google-owned Mandiant. “They work very hard to stay off the radar, but despite their focus on stealth, they’re not afraid to launch these bold attacks on supply chains.”
“They move through technology companies to get to their customers, where they expect to find the intelligence that fuels the decision-making in the Kremlin. As a rule, they seek understanding of foreign affairs, with a particular focus on support for Ukraine and Recently, they have also targeted political parties in Germany.
TeamViewer reaffirms that Attack is limited to corporate IT environments
In its latest update, published on July 4, 2024, TeamViewer said the breach was contained within the company’s internal IT environment and that no customer data was accessed.
“All of the immediate remedial measures we have put in place for our internal corporate IT environment, as well as the additional layers of protection we have put in place, have proven to be very effective: there has been no suspicious activity in our internal corporate IT environment since our services security blocked the attack immediately after detection,” it said.