Teamviewer abused to install ransomware

[sman]

- Quote 

Users on BleepingComputer report TeamViewer is abused to install ransomware on computers. Although it’s unclear how the cyber criminals gain access to TeamViewer, the login to the computer and the activation of the ransomware is clearly visible in TeamViewer’s logs.

It might be possible that hackers gain access by bruteforcing passwords, abusing zero-day vulnerabilities or by resetting passwords through email addresses obtained by other hacks. Whatever method they use, once they have access to the computer they upload a file to the desktop called surprise.exe. This is the actual ransomware which encrypts files and adds the extension .surprise.

- Unquote 

read the rest in http://www.myce.com/news/teamviewer-abused-install-ransomware-computers-78947/?utm_content=buffer790d6&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer

[exile360]

42 minutes ago, sman said:

- Quote 

It might be possible that hackers gain access by bruteforcing passwords...

 

This would be my guess as it seems the most likely, although the other avenues mentioned (among other possibilities) are certainly possible.

[sman]

A very long shot.. but will there not be logs of any such attempts and alerts about it and necessity for TV to be running to accept external connectivity (with session password), and unclear if it is not running, can it be said that the user is safe?? 

Edit - also what about need for id, which is specific to the system?

[John L. Galt]

Use TV in our corporation, and yes, there will be logs, but the administrative side of TV is decent, allowing me to preset things like PW strength, allowed users, and such.  Those settings themselves can also be PW protected so that they cannot be changed.

Yes, TV does have to be running, but if you change the default password for incoming TV connections, it automatically adds itself to the autostart part of Windows.  If, during install, you mention that you want to use it for remote access, it will do the same.  My guess is that the default settings, which used to be a 4 digit numerical password only, were brute forced as well, and that is sad, really, for TV to be using such weak PW protection as default.  Any setting above that starts to include alphanumeric characters, and you can go even further, lengthening and strengthening the password to 16 characters, IIRC.  I think from ver 9 --> 10, or 10 --> 11, the default PW went from being a 4 character numerical to a 5-6 digit alphanumeric, but previous versions retain the 4 digit numerical by default.

Another thing  is, if TV autostart with Windows, the ID remains constant if you add your own password to the application.  It is how we are easily able to trace our sales force through the management console.  So, it would not surprise me if the combination of weak passwords and auto start, with set ID, is a root cause for this latest issue.

[sman]

No autostart here and moreover have TV covered by MBAE, so if any run, will trigger protection alert by MBAE, so will know if TV were to run.. Only thing to track is the activity during the TV session (which is used for only any system troubleshooting purpose), and that no suspicious activity takes place..  But how to check it is the question, will the logs give complete activity list?? TIA..

[John L. Galt]

That also depends upon the logging as it is set in the application.  By default, I think not.

[sman]

Oh.. Tks..I'll check the settings..