Author Topic: TeamViewer hacked? (Read 29814 times)

mwb1100 · « **on:** June 01, 2016, 06:51 PM »

I don't use TeamViewer, but I know that it has been discussed several times here as a solution for remote access to PCs. It's being reported that TeamViewer's systems have been hacked and that the attackers used the access they gained to also access end-user machines.

The reports include PayPal accounts being emptied and items ordered from Amazon and eBay.

- http://www.theregist..._mass_breach_report/
- https://www.reddit.com/r/teamviewer

mouser · « **Reply #1 on:** June 01, 2016, 06:53 PM »

Thanks for the update, that's a scary possibility. I'll note from the web page that TeamViewer denies they've been hacked.

But it sounds like those of us who have TeamViewer running in the background need to keep a close eye on it and maybe disable it for now if feasible.

mwb1100 · « **Reply #2 on:** June 01, 2016, 07:07 PM »

TeamViewer denies they've been hacked.
-mouser (June 01, 2016, 06:53 PM)

That's true: https://www.teamview...-teamviewer-hackers/

However there are a lot of people on reddit reporting being attacked, and the reports seem to be spiking today - a week after the TV denial (which strikes me as curious, but I don't know the history behind this story yet). Maybe it's a case of Teamviewer users being easier than usual targets for some reason or that they are targets that have higher than usual 'yields' for the hackers. So as you said, it would be wise to be cautious.

Deozaan · « **Reply #3 on:** June 01, 2016, 09:27 PM »

Should we perhaps changed the topic to a question, instead of stating it like fact?

mouser · « **Reply #4 on:** June 01, 2016, 09:46 PM »

good idea, done.

mwb1100 · « **Reply #5 on:** June 02, 2016, 01:35 AM »

A more recent blog posting indicates that a trojan attached to a compromised Adobe Flash update package installs the TeamViewer client that is used to access end user machines:

- https://www.teamview...kdoor-teamviewer-49/

If I understand this correctly, this means that you don't have to have installed TeamViewer yourself. Or something. To be honest I'm not exactly sure what's going on, other than it doesn't seem to be anything good.

f0dder · « **Reply #6 on:** June 02, 2016, 03:13 AM »

I know a few people who use TeamViewer that have, by chance, seen people taking control of their machines.

It's a pretty convenient application, but I really, really, really wouldn't leave it directly accessible from the internet all the time. I don't know if it has exploits, a weak/broken security protocol, or simply doesn't have any anti-bruteforce mechanisms built-in, but something's definitely too weak.

Stoic Joker · « **Reply #7 on:** June 02, 2016, 06:53 AM »

The "careless use" disclaimer strikes me as a bit disingenuous when it's rather obvious someone is working their block quite hard. However that being said, I have long loathed the idiotic habit of 3rd party "Support" personnel installing remote access app X on everything from workstations to servers and then just orphaning it leaving people exposed by its then ongoing connection opportunity.

Any access hole poked into a network must be sealed the instant it is no longer absolutely necessary ...Period.

wraith808 · « **Reply #8 on:** June 02, 2016, 11:03 AM »

The "careless use" disclaimer strikes me as a bit disingenuous when it's rather obvious someone is working their block quite hard. However that being said, I have long loathed the idiotic habit of 3rd party "Support" personnel installing remote access app X on everything from workstations to servers and then just orphaning it leaving people exposed by its then ongoing connection opportunity.

Any access hole poked into a network must be sealed the instant it is no longer absolutely necessary ...Period.
-Stoic Joker (June 02, 2016, 06:53 AM)

I was calling work for support while I was at home. I access the work network by using mstsc through a portal to contact my work laptop instead of taking it home. The support personnel said "can I install on your machine (whatever remote control they use). I promptly said no. Especially as the evidence I'd given them was more than enough to point to the true problem- something going on with the portal. But even if it had not, I would have said no. What they do with their own property is their business. But the crap this stuff installs- from join.me (which has started to try to install when used) to omnijoin (the same) is really annoying for the use its put to, and this is a good example of why I feel that way.

Tuxman · « **Reply #9 on:** June 02, 2016, 12:37 PM »

There is no sane reason to use TeamViewer which, by defaults, routes your shared desktop over U.S. servers.

wraith808 · « **Reply #10 on:** June 02, 2016, 01:56 PM »

There is no sane reason to use TeamViewer which, by defaults, routes your shared desktop over U.S. servers.
-Tuxman (June 02, 2016, 12:37 PM)

I'm assuming that traffic is encrypted (though I don't use it, I recognize that it's a useful tool for some)

Tuxman · « **Reply #11 on:** June 02, 2016, 02:03 PM »

For what reason do you assume that? Good faith?

wraith808 · « **Reply #12 on:** June 02, 2016, 03:15 PM »

For what reason do you assume that? Good faith?
-Tuxman (June 02, 2016, 02:03 PM)

I assume it because (a) I'm not using it, (b) it would make sense to do so, and (c) I'm too lazy and don't care enough to check it. Mostly (a), but really (c).

mouser · « **Reply #13 on:** June 02, 2016, 03:22 PM »

It's a pretty safe assumption -- it would be unfathomable for such a mature enterprise-level product not to use encryption for something like this.

And in fact you can read about the encryption they use here:
https://www.teamviewer.com/en/security/

"TeamViewer includes encryption based on 2048 RSA private-/public key exchange and AES (256 bit) session encryption. This technology is based on the same standards as https/SSL and meets today's standards for security. The key exchange also guarantees full, client-to-client data protection. This means that even our routing servers are not able to read the data stream."

Tuxman · « **Reply #14 on:** June 02, 2016, 03:25 PM »

today's standards for security
-mouser (June 02, 2016, 03:22 PM)

So?

Asudem · « **Reply #15 on:** June 03, 2016, 12:44 PM »

I just woke up to a "Thank You For Using TeamViewer" popup this morning guys... I did not remote into my own computer while i was in bed last night...

Ummmmmmmm

Deozaan · « **Reply #16 on:** June 03, 2016, 01:29 PM »

TeamViewer just announced some new features that appear to be related to this: Trusted Devices (2FA on devices connecting for the first time) and Data Integrity (forced password reset due to suspicious activity)

https://www.teamview...-and-data-integrity/

Asudem · « **Reply #17 on:** June 03, 2016, 01:36 PM »

Oh the hack is very real. Someone logged into my computer at about 6am and went to eBay and bought themselves $400 in iTunes giftcards and then tried to buy $200 in PlayStation giftcards from amazon.

wraith808 · « **Reply #18 on:** June 03, 2016, 01:50 PM »

Oh the hack is very real. Someone logged into my computer at about 6am and went to eBay and bought themselves $400 in iTunes giftcards and then tried to buy $200 in PlayStation giftcards from amazon.
-Asudem (June 03, 2016, 01:36 PM)

Why are you continually running it?

Stoic Joker · « **Reply #19 on:** June 04, 2016, 08:27 AM »

Man talk about sticking hard to the cover story...

As you have probably heard, there have been unprecedented large scale data thefts on popular social media platforms and other web service providers. Unfortunately, credentials stolen in these external breaches have been used to access TeamViewer accounts, as well as other services.

We are appalled by the behaviour of cyber criminals, and are disgusted by their actions towards TeamViewer users. They have taken advantage of common use of the same account information across multiple services to cause damage.
-TV Blog

Trying to hard much???

And how exactly do they explain (away) the part where it is mainly (read only) the TV v11 users that are getting "randomly" hit??

Then there's the we're not going to call it a (security) update...update. That they hung together in only days after - but not in response to - the not attack.

Saving face is one thing ... But this is just sad.

Given the issues we've been having with our current SSL Trusted Root signed VNC variant. I've been looking for something mainstream that our company can jump to for remote support, that won't constantly waste time talking end users through security warning.

Hay did I mention that this is a digitally signed by an SSL trusted root certificate provider that still constantly gets flagged by damn near everything??? (Signed binaries my ass)

Anyhow TV was on my list of -(mainstream)- replacement companies to investigate last week ... But they're not on that list anymore.

Jibz · « **Reply #20 on:** June 04, 2016, 09:40 AM »

So what is a good alternative? I haven't tried it, but I've heard NoMachine mentioned?

Asudem · « **Reply #21 on:** June 04, 2016, 03:40 PM »

Oh the hack is very real. Someone logged into my computer at about 6am and went to eBay and bought themselves $400 in iTunes giftcards and then tried to buy $200 in PlayStation giftcards from amazon.
-Asudem (June 03, 2016, 01:36 PM)

Why are you continually running it?
-wraith808 (June 03, 2016, 01:50 PM)

I use it to remote in from mobile. Not anymore though.

Zero3K · « **Reply #22 on:** June 04, 2016, 10:10 PM »

So what is a good alternative? I haven't tried it, but I've heard NoMachine mentioned?
-Jibz (June 04, 2016, 09:40 AM)

I am using Brynhildr as my RAT. You can get it by going to http://blog.x-row.net/?p=2455#download. There is also a QT based client available at https://github.com/f...qtbrynhildr/releases.

x16wda · « **Reply #23 on:** June 04, 2016, 10:22 PM »

So when I use TeamViewer to connect to one of my family's pcs, I need to either know credentials for the PC, or have to get the user to say OK before I can connect. What am I missing? Is everyone's desktop unlocked, or you have a no password required setting somewhere?

Deozaan · « **Reply #24 on:** June 04, 2016, 11:24 PM »

So when I use TeamViewer to connect to one of my family's pcs, I need to either know credentials for the PC, or have to get the user to say OK before I can connect. What am I missing? Is everyone's desktop unlocked, or you have a no password required setting somewhere?
-x16wda (June 04, 2016, 10:22 PM)

It's possible to set up unattended access, so you can remote into your own system without having to have someone there click OK or tell you a code. But in order to do so, someone would still need to be logged in as you, using your TeamViewer account username/password combination. Or something.