Security

Cyber-crime

TeamViewer can't bring itself to say someone broke into its network – but it happened

Claims customer data, prod environment not affected as NCC sounds alarm


Updated TeamViewer on Thursday said its security team just "detected an irregularity" within one of its networks – which is a fancy way of saying someone broke in.

We're told this "irregularity" was spotted inside TeamViewer's corporate IT environment on Wednesday, and that the biz immediately called in reinforcements in the form of cyber security investigators, implemented "necessary remediation measures," and activated its incident response team and processes, according to an announcement on Thursday.

TeamViewer sells software to remotely control and manage Windows PCs and other computers as well as tools to access systems via the web, and is used the world over. The words "TeamViewer" and "security breach" will make some people's blood run cold given how pervasively it is used; a compromise of the platform could be devastating. TeamViewer says it has more than 600,000 customers.

Regardless, the software maker's disclosure attempted to downplay the intrusion – sorry, "irregularity."

"TeamViewer's internal corporate IT environment is completely independent from the product environment," it read. "There is no evidence to suggest that the product environment or customer data is affected."

But, it added, "investigations are ongoing and our primary focus remains to ensure the integrity of our systems."

TeamViewer spokesperson Maria Gordienko declined to answer The Register's specific questions about the incident – including whether it was ransomware or worse – citing the ongoing investigation. "As soon as new relevant facts become available, we will update the statement for the general public," she deflected. 

It appears top infosec house NCC Group has already tipped off its customers to the security snafu, and blamed an unnamed advanced persistent threat (APT) team.

"The NCC Group Global Threat Intelligence team has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group," NCC warned in a memo, shared earlier on Mastodon by an IT security pro going by the name Jeffrey.

"Due to the widespread usage of this software the following alert is being circulated securely to our customers," the shared missive, confirmed as legit by NCC, continued. We've asked for the security group for further details for the public.

And speaking of TeamViewer and APTs, Brett Callow, threat analyst at Emsisoft, pointed to an alert Thursday by the US-based Health Information Sharing and Analysis Center (H-ISAC) to the health sector about ongoing exploitation of TeamViewer and how healthcare operators should respond.

That memo reads:

The Health Information Sharing and Analysis Center June 27 issued a threat bulletin alerting the health sector to active cyberthreats exploiting TeamViewer. H-ISAC recommends users review logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools, H-ISAC said. The agency recommends users enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures.

H-ISAC noted in its industry bulletin that it had been warned by a friendly intel partner that APT29 – aka Russian intelligence's Cozy Bear crew – has been "actively exploiting Teamviewer."

"TeamViewer has been observed being exploited by threat actors associated with APT29," it added.

Which could mean the Russians are separately exploiting weaknesses within TeamViewer to get into people's networks, or taking advantage of poor customer-side security to get in via the remote-desktop software. Or H-ISAC is saying the aforementioned intrusion was carried out by the Kremlin into TeamViewer's own systems.

We're seeking further details and will let you know when we hear more. ®

Updated to add

TeamViewer has confirmed it was hit by Russia's APT29 aka Cozy Bear.

Send us news
25 Comments

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns

Phishers cast wide net with spoofed Google Calendar invites

Not that you needed another reason to enable the 'known senders' setting

Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks

IOCONTROL targets IoT and OT devices from a ton of makers, apparently

US names Chinese national it alleges was behind 2020 attack on Sophos firewalls

Also sanctions his employer – an outfit called Sichuan Silence linked to Ragnarok ransomware

How Chinese insiders are stealing data scooped up by President Xi's national surveillance system

'It's a double-edged sword,' security researchers tell The Reg

China's Salt Typhoon recorded top American officials' calls, says White House

No word yet on who was snooped on. Any bets?

Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket

ShinyHunters-linked heist thought to have been ongoing since March

Are your Prometheus servers and exporters secure? Probably not

Plus: Netscaler brute force barrage; BeyondTrust API key stolen; and more