The IT Nerd

Today, TeamViewer, a large remote access and control software provider, has confirmed a data breach by the notorious hacker group Midnight Blizzard. The company’s statement confirmed the breach is tied to an employee’s credentials within its Corporate IT environment. Bleeping Computer has more details:

While TeamViewer states there is no evidence that its product environment or customer data has been breached, its massive use in both consumer and corporate environments makes any breach a significant concern as it would provide full access to internal networks.

In 2019, TeamViewer confirmed a 2016 breach linked to Chinese threat actors due to their use of the Winnti backdoor. The company said they did not disclose the breach at the time as data was not stolen in the attack.

Glenn Chisolm, Co-Founder, Obsidian had this to say:

“Identity compromise, which has been a driver in the TeamViewer incident, is a critical component of most breaches we see in customer environments, accounting for over 80% of SaaS breaches. We see TeamViewer deployed by 1-in-3 organizations – so ensuring that the breach is contained is the first big step for the company. 

Our advice to customers to minimize identity compromises is to follow 3 crucial steps – a) centralize identity access behind an IdP — often many apps also have local users, and ensuring the right levels of security is much harder in a distributed setting, b) federated access supported with the right levels of MFA to elevate the security, and c) monitor and protect employee accounts, especially administrative accounts, against abnormal behavior — such as can result from spear phishing attacks, AiTM phishing, and more.”

TeamViewer is something that I have been strongly recommending against since their 2016 hack that they only admitted to three years later. This reinforces the fact that if you use TeamViewer, you should strongly consider using another product. Because TeamViewer clearly cannot be trusted.

I haven’t given TeamViewer much of a thought since this incident when it looked like the popular remote access and screen sharing software got hacked. But that changed last week when I got a call from a new client who was unable to get one feature of TeamViewer working. Specifically the screen blanking feature. This person’s use case was to use TeamViewer as a remote access tool and he wanted to blank the screen on the remote PC so that his activities could not be seen in his office. That should be easy enough to do as TeamViewer does have a screen blanking feature that is described in this support document. However, when he tried to do this, the video driver that was related to this feature would not install. So he called me for assistance.

I took a look at the problem and I quickly figured out what was going on. This customer was using Windows 10 and there was a feature that was turned on by default called device driver signing which verifies the integrity of driver packages and to verifies the identity of the software publisher who provides the driver packages. This feature requires the drivers use a digital signature and it’s meant to ensure that rogue drivers don’t make it onto your system and in turn cause havoc.

But in this case the digital signature was out of date:

If you look at the “Valid from” field, you’ll see that it is valid to 3/3/2018. That’s a total #fail as when I examined the rest of the driver package, they had signatures that were valid until 2020. So this is pretty sloppy work on the part of TeamViewer. And the only way around this is to disable Windows 10’s ability to check for signed drivers. You’ll note that I have not included instructions for doing so because disabling this feature is a pretty stupid idea that I will not support as it makes your PC somewhat less secure. Given that we live in a world where security threats are everywhere, dumbing down the security of your PC just to install something is not a good idea. After informing my client of this, he was seriously unimpressed and he’s looking for other options for remote access.

What’s even worse is that this is not a new situation. A simple Google search shows that this is something that has been around since 2017 in some form or another. Which is a really bad reflection on TeamViewer as they market their product as a corporate solution. But given the above it clearly isn’t and you should avoid TeamViewer like the plague.

Reports are coming in from all over the Internet that popular remote access service Team Viewer has been hacked. Users are reporting everything from control of their computers being taken over by remote parties, malware being installed, to PayPal accounts being drained. Users were reporting that the service was down for several hours as well.

Now the company has put out a statement denying the hack, and saying that the service was down because of a distributed denial of service attack, like the one that I got hit with recently. But I am not sure that I buy that. There’s a lot of evidence here that suggests that way more is going on than TeamViewer is admitting to. This is further backed up by  a statement bizarrely dated last week but referencing the events of the last 24 hours or so where TeamViewer references “careless use” of passwords by its customers. It truly sounds like these guys have something to hide.

Whatever the truth is, I am sure we’ll find out what it is soon enough. In the meantime, if you use TeamViewer, it might be wise to stop using it for the time being to protect yourself.