Advisory: TeamViewer Breach
Published:
June 6, 2016 LAST REVISED: JUN 21, 2016 (GotoMyPC)
Last week, there has been an on-going outbreak of TeamViewer (TV)
breach incidents: unauthorized remote access to PCs and devices,
presumably using valid TeamViewer ID + password.
How
did it happen?
There are 5 likely scenarios, all of which are
possible and plausible. So one must keep an open mind, despite adamant
denials from the vendor, and baseless claims of "proof" stemming from
logical fallacies.
- TeamViewer's server/data was
compromised in some manners (bulk credential leak)
- passwords and IDs were stolen from
external sources (pertains password "reuse")
- malware infestation at
breached PCs, which discloses the credentials
- yet undisclosed TeamViewer software
vulnerability, exploited by those privy to it
- flaws in the process and/or
TV's infrastructure, by which 3rd parties authenticate and obtain NAT
traversal path
At present, TV is denying any discernible signs of
breach at their server. Claims of anecdotal "proof" of
otherwise from users are deemed self-evidently specious by
me. As events are unfolding, S/N ratio is exceedingly low. Ignore the
noise.
Ramifications:
Obviously, when your PC is "owned" by strangers, even just for a brief
moment, the consequences are very serious. Mechanized processes with a
well-crafted script can scan for & transfer a few crucial data
files/strings within seconds. Subsequently, at their leisure, through
intricate compound escalations and elevations, end up with a shocking
trove of data—for even
more access and damage!
I am listing some primary concerns: Once remote session is
attained, intruder can...
- Data Confidentiality,
Integrity and Availability
- view/modify/delete/transfer/encrypt
all data files
on that PC/device,
- as well as data located in network servers, attached external devices, removable media, and
online
storage accounts
- access/destroy/tamper
with your backups, establish
control to your online backup account, providing on-going access to
fresh data, even if you cut off remote session access entirely
- view/delete/copy
email messages, copy hashed email
account password to use on their own PCs (live access to email server)
- Financial Fraud
- login to vendor accounts
via saved passwords at your PC/device, place orders, transfer funds,
etc.
- add verification question & answer,
establish a future path to reset your account, re-gaining access,
after you change password
- IF your online accounts store &
display full credit card numbers, they can readily
view those as well
- Identity Theft
- steal & use any password
stored locally in plaintext
- copy passwords stored in encrypted
"wallets," for offline attacks (brute force/rainbow
table)
- use your accounts with cached credentials
for social engineering, to lure your contacts
via phishing email, chat messages, and social media posting
Current TeamViewer Breach (news
gathered June 1 ~ 6, 2016)
Previous (separate) Incidents
What to Do?
- Do not jump to conclusions, events still
unfolding
- knee-jerk response such as switching from TV to
their competitors, are pointless
- all other products/services have similar
issues
- so-called virus scans, etc. are ineffective by
definition—in fact,
laughable
- evaluate your situation, arrive at a
set of effective mitigating strategies & future
roadmap
- recommended first steps
- immediate change all
your TV account passwords
- consider temporarily uninstalling software
- long-term
- eradicate persistent out-bound reverse
remote control session, authenticated & enabled by an external
entity, using a centralized database
- reject (if possible) any product/service
installing NAT router traversal not at your direct control, including
those working by on-the-fly download of active-x, or browser plug-ins
Addendum
June 21, 2016
RELATED GoToMyPC first announced that they have suffered a very sophisticated
attack, and then retracted the announcement and stated that they have
found no signs of being successfully breached, and blamed the
current wave of breached accounts on "password reuse"--related to the
recent LinkIn password leak.
|