Jump to content

Teamviewer abused to install ransomware


Recommended Posts

- Quote 

Users on BleepingComputer report TeamViewer is abused to install ransomware on computers. Although it’s unclear how the cyber criminals gain access to TeamViewer, the login to the computer and the activation of the ransomware is clearly visible in TeamViewer’s logs.


It might be possible that hackers gain access by bruteforcing passwords, abusing zero-day vulnerabilities or by resetting passwords through email addresses obtained by other hacks. Whatever method they use, once they have access to the computer they upload a file to the desktop called surprise.exe. This is the actual ransomware which encrypts files and adds the extension .surprise.

- Unquote 

read the rest in http://www.myce.com/news/teamviewer-abused-install-ransomware-computers-78947/?utm_content=buffer790d6&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer

Link to post
Share on other sites

A very long shot.. but will there not be logs of any such attempts and alerts about it and necessity for TV to be running to accept external connectivity (with session password), and unclear if it is not running, can it be said that the user is safe?? 

Edit - also what about need for id, which is specific to the system?

Link to post
Share on other sites

Use TV in our corporation, and yes, there will be logs, but the administrative side of TV is decent, allowing me to preset things like PW strength, allowed users, and such.  Those settings themselves can also be PW protected so that they cannot be changed.

Yes, TV does have to be running, but if you change the default password for incoming TV connections, it automatically adds itself to the autostart part of Windows.  If, during install, you mention that you want to use it for remote access, it will do the same.  My guess is that the default settings, which used to be a 4 digit numerical password only, were brute forced as well, and that is sad, really, for TV to be using such weak PW protection as default.  Any setting above that starts to include alphanumeric characters, and you can go even further, lengthening and strengthening the password to 16 characters, IIRC.  I think from ver 9 --> 10, or 10 --> 11, the default PW went from being a 4 character numerical to a 5-6 digit alphanumeric, but previous versions retain the 4 digit numerical by default.

Another thing  is, if TV autostart with Windows, the ID remains constant if you add your own password to the application.  It is how we are easily able to trace our sales force through the management console.  So, it would not surprise me if the combination of weak passwords and auto start, with set ID, is a root cause for this latest issue.

Link to post
Share on other sites

No autostart here and moreover have TV covered by MBAE, so if any run, will trigger protection alert by MBAE, so will know if TV were to run.. Only thing to track is the activity during the TV session (which is used for only any system troubleshooting purpose), and that no suspicious activity takes place..  But how to check it is the question, will the logs give complete activity list?? TIA..

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.