From the desk of: Sam C. Chan

Advisory:   TeamViewer Breach

Published:  June 6, 2016     LAST REVISED: JUN 21, 2016 (GotoMyPC)

Last week, there has been an on-going outbreak of TeamViewer (TV) breach incidents: unauthorized remote access to PCs and devices, presumably using valid TeamViewer ID + password.

How did it happen?
There are 5 likely scenarios, all of which are possible and plausible. So one must keep an open mind, despite adamant denials from the vendor, and baseless claims of "proof" stemming from logical fallacies.
  1. TeamViewer's server/data was compromised in some manners (bulk credential leak)
  2. passwords and IDs were stolen from external sources (pertains password "reuse")
  3. malware infestation at breached PCs, which discloses the credentials
  4. yet undisclosed TeamViewer software vulnerability, exploited by those privy to it
  5. flaws in the process and/or TV's infrastructure, by which 3rd parties authenticate and obtain NAT traversal path

At present, TV is denying any discernible signs of breach at their server. Claims of anecdotal "proof" of otherwise from users are deemed self-evidently specious by me. As events are unfolding, S/N ratio is exceedingly low. Ignore the noise.

Obviously, when your PC is "owned" by strangers, even just for a brief moment, the consequences are very serious. Mechanized processes with a well-crafted script can scan for & transfer a few crucial data files/strings within seconds. Subsequently, at their leisure, through intricate compound escalations and elevations, end up with a shocking trove of datafor even more access and damage!

I am listing some primary concerns: Once remote session is attained, intruder can...
  • Data Confidentiality, Integrity and Availability
    • view/modify/delete/transfer/encrypt all data files on that PC/device,
    • as well as data located in network servers, attached external devices, removable media, and online storage accounts
    • access/destroy/tamper with your backups, establish control to your online backup account, providing on-going access to fresh data, even if you cut off remote session access entirely
    • view/delete/copy email messages, copy hashed email account password to use on their own PCs (live access to email server)
  • Financial Fraud
    • login to vendor accounts via saved passwords at your PC/device, place orders, transfer funds, etc.
    • add verification question & answer, establish a future path to reset your account, re-gaining access, after you change password
    • IF your online accounts store & display full credit card numbers, they can readily view those as well
  • Identity Theft
    • steal & use any password stored locally in plaintext
    • copy passwords stored in encrypted "wallets," for offline attacks (brute force/rainbow table)
    • use your accounts with cached credentials for social engineering, to lure your contacts via phishing email, chat messages, and social media posting
Current TeamViewer Breach (news gathered June 1 ~ 6, 2016)
Previous (separate) Incidents What to Do?
  • Do not jump to conclusions, events still unfolding
  • knee-jerk response such as switching from TV to their competitors, are pointless
    • all other products/services have similar issues
  • so-called virus scans, etc. are ineffective by definitionin fact, laughable
  • evaluate your situation, arrive at a set of effective mitigating strategies & future roadmap
  • recommended first steps
    • immediate change all your TV account passwords
    • consider temporarily uninstalling software
  • long-term
    • eradicate persistent out-bound reverse remote control session, authenticated & enabled by an external entity, using a centralized database
    • reject (if possible) any product/service installing NAT router traversal not at your direct control, including those working by on-the-fly download of active-x, or browser plug-ins
Addendum   June 21, 2016
RELATED     GoToMyPC first announced that they have suffered a very sophisticated attack, and then retracted the announcement and stated that they have found no signs of being successfully breached, and blamed the current wave of breached accounts on "password reuse"--related to the recent LinkIn password leak.

Copyright @2005-2016   Bravo Technology Center  *  Bravo:GO  *  Contact Us