TeamViewer Breach: A Wake-Up Call for Cybersecurity in 2024
In a recent and alarming development, TeamViewer, a leading provider of remote access software, has disclosed a significant cyber attack that breached its corporate network. Detected on June 26, 2024, the attack has been attributed to APT29, a notorious Russian state-sponsored hacking group known for their sophisticated cyber espionage campaigns. Despite TeamViewer’s swift response and ongoing investigation, the implications of this breach are far-reaching, given the platform’s extensive global reach.
With over 640,000 customers and installations on 2.5 billion devices, TeamViewer’s security breach underscores the persistent and evolving nature of cyber threats. The attack not only highlights vulnerabilities within even the most trusted software solutions but also serves as a crucial reminder for organizations to continuously review and strengthen their cybersecurity protocols.
This blog post discusses the broader implications of the TeamViewer breach for businesses and individuals. Stay informed and vigilant as we navigate the complexities of the digital security landscape together.
By Lawrence Abrams with bleepingcomputer
RMM software developer TeamViewer says a Russian state-sponsored hacking group known as Midnight Blizzard is believed to be behind a breach of their corporate network this week.
Yesterday, BleepingComputer reported that TeamViewer had been breached and that cybersecurity experts and healthcare organizations had begun warning customers and organizations to monitor their connections.
TeamViewer is widely used by enterprises and consumers for remote monitoring and management (RMM) of devices on internal networks. As the scope of the cybersecurity incident was not known, experts began warning stakeholders to monitor for suspicious connections that could indicate threat actors attempting to use the TeamViewer breach to gain access to further networks.
Today, TeamViewer has shared an updated statement with BleepingComputer, stating that they attribute the attack to Midnight Blizzard (APT29, Nobelium, Cozy Bear).
TeamViewer says they believe their internal corporate network, not their production environment, was breached on Wednesday, June 26, using an employee’s credentials.
“Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment,” reads the updated TeamViewer statement.
“Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard.”
The company stressed that their investigation has shown no indication that the production environment or customer data was accessed in the attack and that they keep their corporate network and product environment isolated from each other.
“Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place,” continues TeamViewer’s statement.
“This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach.”
While this is reassuring to TeamViewer customers, it is common in incidents like this for more information to come out later as the investigation progresses. This is especially true for a threat actor as advanced as Midnight Blizzard.
Therefore, it is recommended that all TeamViewer customers enable multi-factor authentication, set up an allow and block list so only authorized users can make connections, and monitor their network connections and TeamViewer logs.
BleepingComputer contacted TeamViewer with further questions about who is assisting with the investigation and how the employee credentials were compromised but has not received a response at this time.
Midnight Blizzard
Midnight Blizzard (aka Cozy Bear, Nobelium, and APT29) is an advanced state-sponsored hacking group believed to be associated with Russia’s Foreign Intelligence Service (SVR).
The threat actors have been linked to a wide variety of attacks, primarily associated with cyber espionage, in which they breach government and corporate networks to silently steal data and monitor communications.
The US government linked the hacking group to the infamous SolarWinds supply chain attack in 2020, where the threat actors breached the company to gain access to its developer environment. From there, they added a malicious backdoor to a Windows DLL file that was then pushed down to SolarWinds customers in a supply chain attack via an automatic update platform.
This DLL allowed the threat actors to monitor for high-value targets, breach networks, and steal data from their environments.
More recently, Midnight Blizzard turned their attention to Microsoft in a series of successful cyberattacks.
In 2023, the threat actors breached Microsoft’s corporate Exchange Online accounts to monitor and steal emails from the company’s leadership, cybersecurity, and legal teams. Of particular interest, Microsoft says that they initially targeted email accounts to find information related to themselves.
In March 2024, Microsoft said the threat actors once again breached their systems using secrets found in the emails that were stolen in the previous incident.
Midnight Blizzard accessed some of its internal systems and source code repositories as part of this breach.
In both incidents, the threat actors used password spray attacks to breach corporate accounts and then used those accounts as a springboard to other accounts and devices in targeted systems.
Microsoft had previously shared guidance for responding and investigating attacks by Midnight Blizzard.