TeamViewer, a remote control software provider, has confirmed that it was the victim of a cyberattack.
In a statement on June 30, TeamViewer said: “As the investigation progresses, we reconfirm that the attack has been contained to our internal corporate IT environment. Most importantly, our assessment reconfirms that it did not touch our separated product environment, nor the TeamViewer connectivity platform, nor any customer data.”
The threat actor leveraged a compromised employee account to copy employee directory data, such as names, corporate contact information and encrypted employee passwords, for TeamViewer’s internal corporate IT environment.
“The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft,” TeamViewer said. “We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state.”
Midnight Blizzard Gets the Blame
As for the threat actor responsible for the attack, TeamViewer believes the state-sponsored Russian group Midnight Blizzard, also known as Cozy Bear and APT29, was behind it.
SC Media, a sister publication to MSSP Alert, reported that security pros have raised concerns because Midnight Blizzard has also been in the news due to more Microsoft customers being confirmed to have had their emails compromised by the group as part of an attack against Microsoft executives’ emails, The attacks on Microsoft accounts were disclosed in January, some of which resulted in unauthorized access to correspondence from U.S. government agencies.
Midnight Blizzard has been associated with several high-profile intrusions since 2008, SC Media said, including the 2015 compromise of the Democratic National Committee and the 2020 SolarWinds incident. More recently, attacks against Microsoft and Hewlett Packard Enterprise during 2023-2024 have been attributed to Midnight Blizzard, with the group potentially accessing and exfiltrating sensitive information from mailboxes.
The recent TeamViewer incident showcases Midnight Blizzard’s mastery of advanced 3D phishing techniques, explained Stephen Kowski, field CTO at SlashNext told SC Media. Kowski said by seamlessly blending meticulously crafted text messages, Microsoft Teams messages and email phishing, the threat actors have shown they can create a multi-channel assault that's incredibly difficult to detect and defend against.
Kowski added that with 3D phishing on the rise, it’s crucial for organizations to adopt a multi-layered approach to phishing. This includes implementing AI-powered solutions capable of analyzing and flagging anomalies across various communication channels, conducting regular security audits, and most importantly, investing in comprehensive employee training.
Therefore, it is recommended that all TeamViewer customers enable multi-factor authentication, set up an allow and block list so only authorized users can make connections, and monitor their network connections and TeamViewer logs.
This attack echos another one against a remote monitoring and management tool this year --ScreenConnect -- which is part of ConnectWise's platform of MSP tools.
About TeamViewer
Göppingen Germany-based TeamViewer provides a connectivity platform to remotely access, control, manage, monitor and repair devices of any kind – from laptops and mobile phones to industrial machines and robots, according to the company’s website. TeamViewer is free of charge for private use and has more than 640,000 subscribers, enabling companies of all sizes to digitalize their business-critical processes through seamless connectivity.
Since the company’s inception in 2005, TeamViewer’s software has been installed on more than 2.5 billion devices around the world, the company said.
TeamViewer was recently recognized with the 2024 Microsoft Apps & Solutions for Microsoft Teams Partner of the Year Award.