Ransomware Actor Uses TeamViewer to Gain Initial Access to Networks

Attackers have increasingly leveraged the widely used remote access tool, installed on hundreds of millions of endpoints, to break into victim environments.

TeamViewer is software that organizations have long used to enable remote support, collaboration, and access to endpoint devices. Like other legitimate remote access technologies, it is also something that attackers have used with relative frequency to gain initial access on target systems.
Two attempted ransomware deployment incidents that researchers at Huntress recently observed are the latest case in point.
The attacks that Huntress flagged targeted two disparate endpoint devices belonging to Huntress customers. Both incidents involved failed attempts to install what appeared to be ransomware based on a leaked builder for
LockBit 3.0 ransomware
.
Further investigation showed the attackers had gained initial access to both endpoints via TeamViewer. The logs pointed to the attacks originating from an endpoint with the same hostname, indicating the same threat actor was behind both incidents. On one of the computers, the threat actor spent just over seven minutes after gaining initial access via TeamViewer, while on the other, the attackers session lasted more than 10 minutes.
Huntress report did not say how the attacker might have taken control of the TeamViewer instances in both cases. But Harlan Carvey, senior threat intelligence analyst at Huntress, says that some of the TeamViewer logins appear to be from legacy systems.
The logs provide no indication of logins for several months or weeks before the threat actors access, he says. In other instances, there are several legitimate logins, consistent with prior logins — username, workstation name, etc. — shortly before the threat actors login.
Carvey says it is possible that the threat actor was able to
purchase access from an initial access broker (IAB),
and that the credentials and connection information may have been obtained from other endpoints through the use of infostealers, a keystroke logger, or some other means.
There have been several past incidents where attackers have used TeamViewer in similar fashion. One was a campaign last May by a threat actor looking to install the
XMRig cryptomining software
on systems after gaining initial access via the tool. Another involved a
data exfiltration campaign
that Huntress investigated in December. Incident logs showed the threat actor had gained an initial foothold in the victim environment via TeamViewer. Much earlier, Kaspersky in 2020 reported on attacks it had observed on
industrial control system environments
that involved the use of remote access technologies such as RMS and TeamViewer for initial access.
There have also been incidents in the past — though fewer — of attackers using TeamViewer as an access vector in ransomware campaigns. In March 2016 for instance, several organizations reported getting infected with a
ransomware strain called Surprise
that researchers were later able to tieback to TeamViewer.
TeamViewers remote access software has been installed on some 2.5 billion devices since the eponymously named company launched in 2005. Last year, the company described its software as currently
running on more than 400 million devices
, of which 30 million are connected to TeamViewer at any time. The softwares vast footprint and its ease of use has made it an attractive target for attackers, just like other remote access technology.
TeamViewer itself has implemented mechanisms to mitigate the risk of attackers misusing its software to break into systems. The company has claimed that the only way an attacker can access a computer via TeamViewer is if the attacker has the TeamViewer ID and associated password.
Without knowing the ID and password, it is not possible for others to access your computer, the
company has noted,
while listing measures that organizations can take to protect themselves against misuse.
These include:
Exiting TeamViewer when the software is not in use;
Using the softwares Block and Allow list features to restrict access to specific individuals and devices;
Restricting access to certain features for incoming connections;
And denying connections from outside the enterprise network.
The company has also pointed to TeamViewers support for conditional access policies that allow administrators to enforce remote access rights.
In a statement to Dark Reading, TeamViewer said that most instances of unauthorized access involve a weakening of TeamViewers default security settings.
This often includes the use of easily guessable passwords which is only possible by using an outdated version of our product, the statement said. We constantly emphasize the importance of maintaining strong security practices, such as using complex passwords, two-factor-authentication, allow-lists, and regular updates to the latest software versions. The statement included a link to
best practices for secure unattended access from TeamViewer Support
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ransomware Actor Uses TeamViewer to Gain Initial Access to Networks