Advisory:   TeamViewer Breach

Published:  June 6, 2016     LAST REVISED: JUN 21, 2016 (GotoMyPC)

1. TeamViewer's server/data was compromised in some manners (bulk credential leak)
2. passwords and IDs were stolen from external sources (pertains password "reuse")
3. malware infestation at breached PCs, which discloses the credentials
4. yet undisclosed TeamViewer software vulnerability, exploited by those privy to it
5. flaws in the process and/or TV's infrastructure, by which 3rd parties authenticate and obtain NAT traversal path

At present, TV is denying any discernible signs of breach at their server. Claims of anecdotal "proof" of otherwise from users are deemed self-evidently specious by me. As events are unfolding, S/N ratio is exceedingly low. Ignore the noise.

• Data Confidentiality, Integrity and Availability
• view/modify/delete/transfer/encrypt all data files on that PC/device,
• as well as data located in network servers, attached external devices, removable media, and online storage accounts
• access/destroy/tamper with your backups, establish control to your online backup account, providing on-going access to fresh data, even if you cut off remote session access entirely
• view/delete/copy email messages, copy hashed email account password to use on their own PCs (live access to email server)
• Financial Fraud
• login to vendor accounts via saved passwords at your PC/device, place orders, transfer funds, etc.
• add verification question & answer, establish a future path to reset your account, re-gaining access, after you change password
• IF your online accounts store & display full credit card numbers, they can readily view those as well
• Identity Theft
• steal & use any password stored locally in plaintext
• copy passwords stored in encrypted "wallets," for offline attacks (brute force/rainbow table)
• use your accounts with cached credentials for social engineering, to lure your contacts via phishing email, chat messages, and social media posting

• TeamViewer (official)   A Letter To TeamViewer Users On The Recent Cyber Attacks  6/6/2016
• arstechnica   TeamViewer users are being hacked in bulk, and we still don’t know how
• arstechnica   TeamViewer confirms number of abused user accounts is “significant”
• DataBreachToday   TeamViewer Bolsters Security After Account Takeovers --Fraudsters Raid Computers for PayPal, Amazon and eBay Accounts
• NetworkWorld    TeamViewer denies hack, blames hijacked accounts on password reuse
• CIOdive  TeamViewer says user accounts compromised because of password reuse
• ZDnet   TeamViewer confirms extent of account abuse 'significant'
• Softpedia   TeamViewer Denies Breach As Users Complain on Reddit About Getting Hacked 
• Reddit    TeamViewer Breach Masterthread

• TeamViewer (official)   Statement on Ransomware Infections via TeamViewer  3/23/2016
• ComputerWorld   TeamViewer-based cyberespionage operation targets activists, researchers say
• SpearTip  COMPROMISED TEAMVIEWER USED DURING CYBER ESPIONAGE CAMPAIGN

• Do not jump to conclusions, events still unfolding
• knee-jerk response such as switching from TV to their competitors, are pointless
  • all other products/services have similar issues
• so-called virus scans, etc. are ineffective by definition—in fact, laughable
• evaluate your situation, arrive at a set of effective mitigating strategies & future roadmap
• recommended first steps
  • immediate change all your TV account passwords
  • consider temporarily uninstalling software
• long-term
  • eradicate persistent out-bound reverse remote control session, authenticated & enabled by an external entity, using a centralized database
  • reject (if possible) any product/service installing NAT router traversal not at your direct control, including those working by on-the-fly download of active-x, or browser plug-ins

• GoToMyPC Official Incident Report
• Citrix Status Page History (see June 2016 section)