A remote desktop connection software Teamviewer hacked by Russian state-sponsored attackers APT29, also called Cozy Bear. As per the recent reports, TeamViewer was hacked, apparently giving those parties access to users’ accounts. A number of users claim reports of unauthorized access started appearing on the Reddit thread over the weekend, with accounts that were raided – including PayPal, eBay and Amazon – many with stolen credentials in the browser. The outage coincided with a possible DNS failure for the company, which would give an attacker access to credentials, emails and contact information.
Teamviewer Hacked By Russian State-Sponsored Group APT29
As cyberattacks reach new levels of sinister sophistication, from the lone hacker to the state-backed enemy, it’s worth revisiting the saga of one such group: APT29, aka ‘Cozy Bear’. Recent reports implicate them in the TeamViewer hacked incident, which highlights why state-sponsored attacks matter in cybersecurity—and why we need to guard against them.
TeamViewer, a developer of RMM software, has reported that a breach of its corporate network this week is believed to have been the work of a Russian state-sponsored hacking group known as Midnight Blizzard. Recently, it was reported that cybersecurity experts and healthcare organizations had begun warning customers and organizations to monitor their connections due to the breach. TeamViewer has now confirmed that the attack is linked to Midnight Blizzard (APT29, Nobelium, Cozy Bear).
TeamViewer believes that an employee’s credentials were used to breach their internal corporate network, not their production environment, on Wednesday, June 26. The company stressed that its investigation has shown no indication that the production environment or customer data was accessed in the attack, as it keeps its corporate network and product environment isolated from each other.
Despite this assurance to customers, it is common for more information to emerge as the investigation progresses in incidents like this, especially with a threat actor as advanced as Midnight Blizzard. As a precaution, it is recommended that all TeamViewer customers enable multi-factor authentication, set up an allow and block list for connections and monitor their network connections and TeamViewer logs. TeamViewer has not responded to further questions about the investigation at this time.
TeamViewer is widely used for remote monitoring and management (RMM) of devices on internal networks, and experts have advised stakeholders to monitor for suspicious connections following the breach. Teamviewer is not just the only RMM software company that was hacked. In recent times, AnyDesk, another famously known remote desktop software company was hacked, impacting company’s production servers.
What is APT29 (Famously Cozy Bear, Midnight Blizzard)?
APT29, often associated with the Foreign Intelligence Service of the Russian Federation (also known as SVR), employs advanced persistent threats (APTs) that are both sophisticated and stealthy. Known for their use of spear-phishing emails and custom malware, APT29 often goes to great lengths to avoid detection. They are skilled in lateral movement within networks, often gaining access to critical data and exfiltrating it without raising alarms. Their tactics have been evolving, making it imperative for cybersecurity professionals to stay ahead of their game. Recently, Midnight Blizzard gained public attention in the Microsoft executive emails hack in early 2024.
Russian intelligence group called Midnight Blizzard hacked Microsoft executive emails. 👉Read: https://t.co/wh0JctZpoJ#Microsoft #hacked #cybersecurity #cyberattack #ransomware #Russian #nationstate #statesponsored #midnightblizzard #sandworm #starblizzard #thesoclabs #phishing
— The SOC Labs (@thesoclabs) January 20, 2024
Cybersecurity is invariably intertwined with geopolitics and State-sponsored cyber attacks pose a significant threat to global security. The motivations behind state-sponsored cyber attacks often involve gaining strategic advantages, whether for political, economic, or military gain. The cyber domain has become a battleground for nation-states to assert their dominance or undermine their adversaries. These attacks are often part of broader geopolitical strategies, aiming to destabilize or disrupt the infrastructure of rival states. The repercussions can be enormous, ranging from compromised national security information to significant economic losses.
In December 2023, the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC)—released a joint Cybersecurity Advisory (CSA) regarding Russian-backed threat actor Midnight Blizzard.
In the case of the TeamViewer hacked by APT29, the potential for data theft and subsequent misuse can have far-reaching implications, not just for individual users but for industries reliant on remote work tools. The fact that the TeamViewer hacked recently by APT29 suggests that state-sponsored cyber attacks are still ongoing and ever-evolving. As cyber has transformed from a military theatre to a cornerstone of global security, public and private circles must devise pre-emptive and coordinated measures to ensure absolute cybersecurity, with or without targeted entities being aware of the threat. While information security remains under cyberattackers’ radar, sensitive information and critical infrastructure could still be at risk of cyber intrusion from carefully orchestrated attacks.
Critical infrastructure sectors, such as energy, healthcare, and finance, are prime targets for state-sponsored cyber attacks due to their importance and potential for widespread disruption. Understanding these geopolitical dynamics and evolving threat situations is crucial for developing comprehensive cybersecurity strategies that anticipate and counteract potential threats. To protect these sectors, it is essential to adopt stringent cybersecurity measures. This includes conducting regular vulnerability assessments, ensuring robust incident response plans, and fostering collaboration between public and private sectors to share threat intelligence and best practices.
How To Secure Your Accounts From Teamviewer Hack?
To maintain safety while using TeamViewer, consider taking the following steps:
- Update your password for your TeamViewer account.
- Ensure that you log out of your TeamViewer account on any devices where the software is installed to prevent unauthorized access via compromised login credentials.
- Monitor for unexpected incoming connections by reviewing log files located in the “Extras” section.
- Regularly review your credit card and PayPal statements for any signs of unauthorized or suspicious activity.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.
Discover more from The SOC Labs
Subscribe to get the latest posts sent to your email.