Potential Teamviewer pwnage?

cyberguypr

It seems like the thread form the other day disappeared. I am seeing this blow up on Twitter and Reddit with multiple reports of compromise. Add to the fire the fact that Teamviewer's site is currently down and it's looking really bad by the minute. Has anyone else seen weird activity and can confirm?

edwardd

Yes it has.

TeamViewer Accounts Hacked: Service Goes Offline, Customer Bank Accounts Emptied

gespenstern

Yeah, my buddies say it doesn't work for them. I personally never relied on it (using their proxy that I can't control always seemed to be too much of a trust), sometimes I use teamviewer QS portable (or AAMMYY admin which works similarly to TeamViewer, etc.) when everything else fails just to set up an OpenVPN always-on with machine cert authentication to my own server and then use other remote administration tools over this connection.

NetworkNewb

Definitely sounds like they have been breached... We'll see though. Interesting to see how this plays out

joelsfood

Their site appears up from here.

To be fair, OP on other thread had teamviewer running without a password. Security through obscurity is never a safe path in life

NetworkNewb

Don't worry got a new avatar for him

doctorlexus

joelsfood wrote: »

Their site appears up from here.

To be fair, OP on other thread had teamviewer running without a password. Security through obscurity is never a safe path in life

That's weird. I responded to that thread, and now it's gone. Didn't know one could delete their threads on here, and can't see any reason for an admin to delete it.

In any case, I was using Teamviewer earlier today without any issues. If there was an outage, I must have missed it. My best guess on the hack is there are just a lot of people with poor security settings.

cyberguypr

I don't know. There have been multiple reports of people who even had 2 factor enabled being compromised. There's an article out there about some malware leveraging the teamviewer binaries. I'm torn between teamviewer being compromised or a very strategic watering hole attack.

TheFORCE

The other thread was probably deleted because it had an active url that was pointing who knows where. Admin that deleted it probably knows more. I was tempting to click on it but did not have my VM running so I stayed away from it, better safe I guess. Those tiny urls are dangerous.

doctorlexus

I haven't been able to find any good security write-ups on teamviewer as of recent. Lots of user claims on reddit, but you never know if people are really being completely forthcoming about their personal security practices.

I'm leaving it installed on my machines for now. Malwarebytes and MSE show clean scans.

doctorlexus

TheFORCE wrote: »

The other thread was probably deleted because it had an active url that was pointing who knows where. Admin that deleted it probably knows more. I was tempting to click on it but did not have my VM running so I stayed away from it, better safe I guess. Those tiny urls are dangerous.

Ah, yes, you're right. The OP of that thread did post a strange URL. I never clicked it, though. I don't trust strange URL's either.

Chinook

The corp claims nothing happened. IMO, I'd take that with a grain of salt. Companies are reticent to go public with hacks because it's bad for business. I work in the industry and I can tell you that I've personally approached organizations I've found major vulnerabilities in and almost 100% of the time they don't even reply and very often don't fix the problem. I've often considered releasing the information but I fear I'd go for a ride in a police truck.

The only way companies will change is when people can sue them for material loss of personal information.

doctorlexus

Yeah, I agree. Can't trust the company's claim, but also can't trust user claims so much either--unless I see a very skilled user make a detailed write-up about a security exploit. But I couldn't find anything substantiated in all of the reddit posts I looked at.

At this point, I'm just watching carefully for posts on future incidents and taking reasonable precautions.

tpatt100

Curious how they are accessing bank accounts? I wonder if they have "save password" enabled on some sites or keyloggers probably

NetworkNewb

tpatt100 wrote: »

Curious how they are accessing bank accounts? I wonder if they have "save password" enabled on some sites or keyloggers probably

Right, before I was guessing that Teamviewer got breached and the users that got their bank account emptied were using the same logon credentials for their banks as Teamviewer... But can't say that quite yet because they didn't get breached (according to them )

tpatt100

Seen this on reddit, passwords being grabbed from the browser

https://www.reddit.com/r/teamviewer/comments/4m5t8e/if_you_were_hacked_look_in_the_teamviewer_logs/

NetworkNewb

wow that is definitely interesting!

tpatt100

Logged into Teamviewer web portal and just got a contact request, with a user name like this it can't be legit lol

[

tpatt100

Guy on Reddit...

doctorlexus

This all from a web account? I wonder if having a web account is a necessary condition to being compromised. I never signed up for one myself.

cyberguypr

I don't use this service but I've been following the reports and I just can't get aboard with the "people are reusing passwords" and "people are getting malware and that has nothing to do with us" story fed by Teamviewer. I know people are stupid, but this many all of a sudden, I just don't know. In the Reddit thread some compromised people admit to reusing passwords, yet others attested to no pwd reuse and some even had 2FA enabled. It's theoretically probable that every single user got something malicious dropped on their machine that exploited TV but again, seems unlikely. We need some of these users to volunteer a forensic image ASAP.

Teamviewer offices right now.

doctorlexus

cyberguypr wrote: »

Teamviewer offices right now.

Heh. Good one.

NetworkNewb

cyberguypr wrote: »

Teamviewer offices right now.

LOL nice


(think I accidentally gave a minus rep instead of a plus rep...can an admin fix that one? )

Benj94

TheFORCE wrote: »

The other thread was probably deleted because it had an active url that was pointing who knows where. Admin that deleted it probably knows more. I was tempting to click on it but did not have my VM running so I stayed away from it, better safe I guess. Those tiny urls are dangerous.

It was my thread and I wondered why it was deleted. I completely forgot about the URL. The URL took you to the website the hacker tried to take me to. I believe he was trying to find my IP.

Would have been nice if the admin had just taken the link out rather than deleting the thread.

Strange goings on with Team Viewer at the moment. I'd definitely recommend closing it when you don't need it. If I wasn't at my computer when I was hacked, I could have been royally screwed.

Benj94

NetworkNewb wrote: »

Don't worry got a new avatar for him

Thanks dude. We live and learn.

Matt2

Yeah, based on what I've been seeing I'll be surprised if they don't EVENTUALLY admit, errr determine, they were compromised.

beads

I can't anything legit but this link is from TeamViewer. TeamViewer denies hack as users claim computers remotely hijacked

Watch out for attribution gone wild. In this case it could be a malicious link sourcing LastPass for all we know. Find evidence follow to it logical not hysterical conclusion and you will discover the truth.

For now... the whole thing sounds hokey.

- b/eads