Ransomware actors are again using TeamViewer to gain initial access to organization endpoints and attempt to deploy encryptors based on the leaked LockBit ransomware builder.
TeamViewer is a legitimate remote access tool used extensively in the enterprise world, valued for its simplicity and capabilities.
The tool is also cherished by scammers and even ransomware actors, who use it to gain access to remote desktops, dropping and executing malicious files unhindered.
A similar case was first reported in March 2016, when numerous victims confirmed in the BleepingComputer forums that their devices were breached using TeamViewer to encrypt files with the Surprise ransomware.
At the time, TeamViewer's explanation for the unauthorized access was credential stuffing, meaning the attackers did not exploit a zero-day vulnerability in the software but instead used users' leaked credentials.
A new report from Huntress shows that cybercriminals haven't abandoned these old techniques, still taking over devices via TeamViewer to try and deploy ransomware.
The analyzed log files showed connections from the same source in both cases, indicating a common attacker.
In the second endpoint seen by Huntress, which has been running since 2018, there had been no activity in the logs for the past three months, indicating that it was less frequently monitored, possibly making it more attractive for the attackers.
In both cases, the attackers attempted to deploy the ransomware payload using a DOS batch file placed on the desktop, which executed a DLL file via a rundll32.
The attack on the first endpoint succeeded but was contained.
While Huntress hasn't been able to attribute the attacks with certainty to any known ransomware gangs, they note that it is similar to LockBit encryptors created using a leaked LockBit Black builder.
In 2022, the ransomware builder for LockBit 3.0 was leaked, with the Bl00dy and Buhti gangs quickly launching their own campaigns using the builder.
Based on the IOCs provided by Huntress, the attacks through TeamViewer appear to be using the password-protected LockBit 3 DLL. While BleepingComputer could not find the specific sample seen by Huntress, we found a different sample uploaded to VirusTotal last week.
This sample is detected as LockBit Black but does not use the standard LockBit 3.0 ransomware note, indicating it was created by another ransomware gang using the leaked builder.
While it is unclear how the threat actors are now taking control of TeamViewer instances, the company shared the following statement with BleepingComputer about the attacks and on securing installations.
Our analysis shows that most instances of unauthorized access involve a weakening of TeamViewer's default security settings.
We constantly emphasize the importance of maintaining strong security practices, such as using complex passwords, two-factor-authentication, allow-lists, and regular updates to the latest software versions.
FBI disrupts Blackcat ransomware operation, creates decryption tool.
MGM Resorts ransomware attack led to $100 million loss, data theft.
Majorca city Calvià extorted for $11M in ransomware attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 18 Jan 2024 21:15:27 +0000