A plethora of people with the remote desktop tool TeamViewer have been in an uproar after their machines were remotely hijacked; in some cases over the past month or so, users had their bank or PayPal accounts sucked dry. TeamViewer denied it has been hacked and launched two new security measures.
After experiencing a TeamViewer takeover, IBM security researcher Nick Bradley thinks password reuse may be the problem. Bradley said he was gaming on his PC when he lost control of his mouse and TeamViewer popped up. He killed the app and dashed downstairs to another PC which had TeamViewer.
Sure enough, TeamViewer popped up on that machine and an attacker opened a browser to access a web page. Had he not been there to witness and thwart the takeover, he said he would likely be writing about his “personal data leak” instead of how he was almost hacked. He noted that some Reddit users have “claimed to have had their TeamViewer accounts compromised, bank accounts drained, gift cards purchased and more.”
Bradley had not used TeamViewer recently and had forgotten it was even installed on multiple machines. He mentioned the LinkedIn breach and that he had changed his password. “At this point, I figured this was most likely due to me not changing my leaked password on TeamViewer,” he wrote.
My speculation on the actual activity I witnessed is that it was basic recon. The attacker was simply going from one compromised machine to the next to identify who the victim was and what the timezone was, as demonstrated by the URL the attacker tried to go to.
Yet Bradley did question if TeamViewer was breached or if “some DNS mischief” took place.
TeamViewer did experience an outage on June 1 due to “a denial-of-service attack aimed at the TeamViewer DNS-server infrastructure.” The company claimed it had nothing to do with users’ accounts being hijacked. It warned against “careless use of account credentials” by reusing passwords across multiple accounts.
Accusations that TeamViewer was hacked had been flying even before the DoS attack. On May 23 in response to an article which claimed users were having their “bank accounts emptied by hackers gaining full-system access,” the company said, “There is no evidence to suggest that TeamViewer has been hacked. Neither do we have any information that would suggest that there is a security hole in TeamViewer. Therefore it is important to stress there are no TeamViewer hackers, but rather data thieves that will steal information from other sources.”
TeamViewer issued a new statement on Friday, June 3, and announced launching Trusted Devices and Data Integrity security features. In an open letter to all TeamViewer users, the company wrote:
As you have probably heard, there have been unprecedented large scale data thefts on popular social media platforms and other web service providers. Unfortunately, credentials stolen in these external breaches have been used to access TeamViewer accounts, as well as other services.
We are appalled by the behavior of cyber criminals, and are disgusted by their actions towards TeamViewer users. They have taken advantage of common use of the same account information across multiple services to cause damage.
At this point we want to underscore that TeamViewer account authentication uses the Secure Remote Password protocol (SRP) and therefore does not store any password-equivalent data.
To prevent an attacker from accessing your TeamViewer account, the company introduced Trusted Devices. When a new device attempts to sign into your TeamViewer account, you must click on a link in an email to confirm the device is trusted.
The Data Integrity security feature will monitor TeamViewer accounts for unusual behavior, such as being accessed from a new location as that might indicate an account has been compromised. “To safeguard your data integrity, your TeamViewer account will be marked for an enforced password reset. In this case, you will receive an email from us with instructions to reset your password.”
With over 642 million passwords being sold in the cybercriminal underground from the “megabreaches” involving LinkedIn, MySpace, Tumblr and Fling, it could be that TeamViewer was not hacked and users have been reusing passwords.
As Brain Krebs said on Krebs on Security:
My guess is that a large number of Teamviewer users either re-used passwords at some of the social networking services whose usernames and hashed passwords were posted online this week, or they are Teamviewer users who unfortunately were caught up in the day-to-day churn of systems compromised through other malware. In any case, there is a lengthy thread on Reddit populated by Teamviewer users who mostly claim they didn’t re-use their Teamviewer password anywhere else.
Details from 129 people listed as TeamViewer victims spun off from a single Reddit thread. Check your logs if you have TeamViewer for any suspicious logins. If you plan to keep TeamViewer installed but step up security, then a Reddit post warned that “if you enable 2FA or reset your password, it will wipe the list of active logins” on the TeamViewer management console website.
It should go without saying, but please use a unique and strong password for each account. If you reused a password across multiple sites and accounts, and that password was part of the megabreaches, and if you still haven’t changed it, then you are playing Russian roulette.