About a month ago, TeamViewer users started complaining on forums, Twitter and social networks about their accounts being hacked. Last week, messages appeared even on Habré. At first it seemed that this was nothing serious. There were isolated cases. But the stream of complaints grew. In the relevant sections of Reddit and by hashtag in Twitter now there are hundreds of victims. Over time, it became clear that this was not a coincidence, there was something more serious here. Probably, there was a massive leak of passwords of users who use the same passwords on different services.
Among the victims were not only ordinary people, but also security specialists. One of them was Nick Bradley, a senior security officer in the Threat Research Group at IBM. He reported that his account was hacked on Friday June 3rd. And Nick directly watched as the computer was seized right before his eyes.
“At about 6:30 pm, I was in the middle of a game,” says Nick. - I suddenly lost control of my mouse and a TeamViewer message appeared in the lower right corner of the screen. As soon as I realized what was happening, I immediately killed the application. Then it dawned on me: I have other machines with TeamViewer installed! "
“I ran down the stairs where another computer was on and running. From a distance I saw that the TeamViewer window had already appeared there. Before I could remove it, the attacker launched a browser and opened a new web page. As soon as I got to the keyboard, I immediately canceled the remote control, immediately went to the TeamViewer website, changed the password and activated two-factor authentication. "
Screenshot of the page that the attacker opened
“Fortunately, I was near the computer when the attack took place. Otherwise, its consequences are difficult to imagine, ”writes a security specialist. He began to investigate how this could have happened. He hasn't used TeamViewer for a very long time and has almost forgotten that it is installed on the system, so it is logical to assume a password leak from some other hacked service, for example, LinkedIn.
However, Nick continued to investigate and found hundreds of posts on the forums about TeamViewer hacks.
In his opinion, the actions of the attacker are similar to the fact that he quickly studied which computers were at his disposal. He would go to the page to look at the victim's IP address and determine the time zone, probably with a plan to return later at a more appropriate time.
TeamViewer is designed for remote PC control. Having taken over someone else's account, you actually get a ready-made rootkit installed on the victim's computer. Many victims complain that money has gone missing from their bank and Paypal accounts.
TeamViewer believes the password leak is linked to a number of mega-hacks on major social networks. A month ago, about 642 million passwords for Myspace, LinkedIn and other sites went public. Probably, the attackers use this information to create separate target databases with passwords for users of Mail.ru, Yandex, and now TeamViewer.
TeamViewer denies hacking of corporate infrastructure, and explains the fact of server unavailability on the night of June 1 to 2 with DNS problems and a possible DDoS attack. The company recommends that victims do not use the same passwords on different sites and applications, and also enable two-factor authentication. To this you can add that you should update the program to the latest version and change passwords periodically. It is desirable to generate unique passwords, for example, using a password manager.
In addition, TeamViewer has introduced two new security features in response to the massive hacking of accounts. The first of them is Trusted Devices, which introduces an additional procedure for permission to manage an account from a new device (for confirmation, you need to follow the link that is sent by e-mail). The second is "Data Integrity", automatic monitoring of unauthorized access to an account, including taking into account the IP addresses from which the connection is made. If signs of hacking are found, the account is subject to a forced password change.
TeamViewer's response appears to be a logical and appropriate response to massive user password leakage (in part, through the users' own fault). Nevertheless, there are still suspicions that the attackers found a vulnerability in the TeamViewer software itself, which makes it possible to brute force passwords and even bypass two-factor authentication. At least on the forums, there are messages from victims claiming that they used two-factor authentication.
Users were delighted with this program. Some of them even dashed off whole pages of laudatory comments.
So one of them believes that this program is a real salvation for people who have parents and they live far away. So the user enthusiastically describes a wonderful utility.
He says that his parents live in Vladivostok, and he himself moved to St. Petersburg. The parents had a problem with the technique, and thanks to this program, he was quickly able to solve the problem of his parents.
Peculiarities:
- This extension helps to quickly diagnose a computer from a distance.
- I am glad that the program is absolutely free for non-commercial use.
- There are frequent disconnections that occur due to the fact that the provider is saving Internet traffic.
A significant advantage of such a program is that you can work directly from your phone and the provider will not cut off your connection. You can also connect to your home or work computer.
Reviews about commercial TimWyver
Another review was recorded from a girl. She says that the program has become her salvation, and this despite the fact that she does not understand software. The girl says that she only needs to open and close a few programs in a day. She herself works as a manager in a store. Naturally, he understands all these programs, but when the staff changed, it was necessary to monitor what was happening. And the Timviver program just helped to control all computers of store employees.
- She had to make sure that workers correctly opened and closed special software.
- She accidentally found out about this program from friends and immediately installed it on her computer, as well as on work computers.
- And the girl is quite satisfied with her work, as she is sure that my employees will do everything correctly.
Another user says that he has been using the utility for more than 5 years. What is this utility for? There are cases when certain computer settings cannot be made using a template. And it is TeamViewer that comes to the rescue.
This user has Windows 7, the neighbor has 8, and the grandmother generally needs to set up a program for accounting. What to do? Of course, it is better on the appropriate computers, so that you can configure the necessary parameters yourself, and not explain them for hours. If suddenly there was some kind of error, then it is almost a disaster. This confuses those who are afraid of computers. But in order to eliminate such a problem, you can explain to the interlocutor on the other side of the monitor what needs to be downloaded and on which site. It is very easy to use. You just type in a teamweaver in the search, and you are immediately dropped the official website, from which you can safely download the utility.
The program has many settings, but for normal operation, you just need to press the remote control button and that's it.
- In remote control, the screen of the remote computer is visible. After the session ends, a reminder pops up that TeamViewer is a sponsor.
- The mouse and keyboard responds well to the actions of connected computers, whether it is the owner of the device or another connected guest.
- All actions that a person performed on this computer are visible in the additional remote control screen. The license costs about 30,000 rubles, but if you choose the item to use for commercial purposes, then it will pay off within a certain period of time.
The amount of the required ransom depends on the importance of the data and can vary from 0.5 to 25 bitcoins.
Internet users are being attacked by a new ransomware called Surprise. Once on the system, the malware starts encrypting files on the computer. The .surprise extension is added to encrypted documents. In general, the functionality of the ransomware does not differ from the capabilities of other representatives of this type of software. However, the way it is distributed is very interesting. For this purpose, attackers use TeamViewer, a remote desktop access tool.
For the first time, the ransomware became known from the message of the user of the forum Bleeping Computer. As further discussion of the topic showed, all the victims of the malware had TeamViewer version 10.0.47484 installed. Note that the amount of the required ransom depends on the degree of importance of the data and can vary from 0.5 to 25 bitcoins. Payment terms are discussed individually.
According to David Balaban, an expert at PrivacyPC, who analyzed the TeamViewer traffic logs, the attackers remotely launched the surprise.exe process on the victims' computers. According to Balaban, the criminals could have used the credentials that were stolen as a result of compromising TeamViewer computer systems. However, the company itself denied the possibility of unauthorized entry.
According to Bleeping Computer owner Lawrence Abrams, the Surprise malware is a modified version of the open source ransomware EDA2 developed by Turkish researcher Utku Sen. Note that there are several ransomware based on this software. Sen's other development, the ransomware Hidden Tear, is also popular among cybercriminals. There are already 24 ransomware based on it.
TeamViewer comment:
In recent days, there have been reports of ransomware infections associated with the TeamViewer software. We strongly condemn any criminal activity, but we would like to emphasize two aspects:
1. So far, none of the infections have been linked to a vulnerability in the TeamViewer software.
2. There are a number of measures that can help prevent potential violations.
We have thoroughly investigated the cases that have come to our attention and have concluded that the security issues behind them cannot be related to the TeamViewer software. So far, we have no evidence that attackers are exploiting any potential vulnerabilities in TeamViewer. Moreover, a man-in-the-middle attack can actually be ruled out because TeamViewer uses end-to-end encryption. We also have no reason to believe that brute-force cryptanalysis attacks were the cause of these infections. The fact is that TeamViewer exponentially increases the delay between connection attempts, so just 24 attempts would take a whole 17 hours. The delay time is only cleared after entering the correct password. TeamViewer has a mechanism that protects clients from attacks not only from one specific computer, but also from multiple computers (so-called “botnet attacks”) trying to access a specific TeamViewer-ID.
In addition, we would like to state that none of these cases are indicative of defects in the architecture or security mechanisms of the TeamViewer software.
The reason for all the cases of infection we studied lies, first of all, in the careless use of software. This includes, in particular, the use of the same passwords for different user accounts on systems from different vendors.
In the past week, many TeamViewer users have been hit by attacks from unknown hackers. At the same time, the company's servers and the official website went offline for several hours, which was later explained by a DoS attack on DNS servers. TeamViewer has now announced two new features to improve the security of the app and its users.
On the night of June 1 to June 2, 2016, TeamViewer users were unknown attackers. Hundreds of people wrote on Reddit and on social networks about the same thing: someone used their TeamViewer and stole money. At the same time, many victims reported that they used strong passwords and two-factor authentication, but even this did not save them from hacking.
The fact that the TeamViewer website unexpectedly went offline added fuel to the fire of user excitement. Many immediately assumed that the company had been hacked, and the hackers managed to get to the user credentials. But TeamViewer representatives soon these theories, and said that no one broke them, TeamViewer does not contain any vulnerabilities, and offline was caused by a "DoS attack on the company's DNS servers."
The developers also suggested that the massive hacks are the result of "carelessness in protecting the user's account." In fact, the company blamed the users that they themselves were to blame for being hacked, pointing out that it was "in particular about using the same passwords for different user accounts for different services." Also, company representatives noted that "no one is safe from accidental download and installation of malware."
Some of the victims were not convinced by the company's statement, because all this does not agree well with the fact that some of the victims used two-factor authentication, strong passwords and were not infected with malware.
Now the supporters of the idea "they keep silent about the fact of hacking" have new food for thought. On June 3, 2016, TeamViewer introduced two new security enhancements at once.
The first feature: Trusted Devices will allow you to control access for new devices. When a user first logs into an account from a new device, before starting work, he will have to follow the link from the letter that will be sent to the email address of the account owner.
The second function: Data Integrity will monitor all activity associated with the user's account. If the system notices something suspicious, for example, someone tries to log into an account from an unusual location or from an unknown IP address, it will reset the password. The account owner will receive an email with further instructions and a report of the incident.
All TeamViewer servers are housed in modern data centers that comply with the ISO 27001 standard, use redundant connections and redundant power supplies. It is planned to form data protection of RAID arrays, mirroring and backing up data, using highly available server storage, router systems with disaster recovery mechanisms, and continuous maintenance procedures. In addition, all servers with confidential data are located in Germany or Austria.
Data centers use state-of-the-art security controls, including personal access control, video surveillance, motion detectors, 24/7 situation monitoring, and security personnel only provide access to the data center to authorized persons to ensure the highest degree of equipment and data security. Access is provided through a single point of entry into the data center and only after thorough validation.
Digital signature of software
To enhance security, all of our software is digitally signed by VeriSign. This ensures that the manufacturer of the software can always be reliably identified. If the software has been changed, the digital signature is then automatically invalidated.
TeamViewer sessions
SESSION CREATION AND CONNECTION TYPES
When creating a session, TeamViewer determines the optimal connection type. After handshaking through our main servers, 70% of the time a direct connection is established via UDP or TCP (even behind standard gateways, NATs and firewalls). The rest of the connections are processed through our network with redundant routers via TCP or https tunneling.
You don't have to open additional ports to work with TeamViewer.
ENCRYPTION AND VERIFICATION OF AUTHORITY
Securing the TeamViewer data stream is based on RSA public / private key exchange and session encryption using AES (256 bit). This technology is used for https / SSL and is considered completely secure by modern standards.
Since the private key never leaves the client computer, this procedure ensures that interconnected computers, including TeamViewer routing servers, cannot decrypt the data stream. Even TeamViewer employees acting as operators of the routing servers cannot read encrypted traffic.
All data from the control console is transmitted in a standard way for secure Internet connections: over a secure channel using TSL (Transport Security Layer) encryption. Password authorization and encryption occurs using Password Authentication Protocol (SRP), an enhanced password authentication key protocol (PAKE). An attacker or “middleman” cannot obtain sufficient information to carry out a brute-force attack in order to obtain a password. This is a clear example of how high security can be achieved even with a weak password. However, to ensure a high level of security, TeamViewer still recommends using the most up-to-date password generation methods.
Each TeamViewer client already uses the public key of the main cluster and thus can encrypt messages to the main cluster and verify the messages it has signed. PKI (Public Key Infrastructure) effectively prevents active connection intrusion (MITM). Despite encryption, the password is never sent directly, but only using a challenge-response procedure, and is only stored on the local computer. During authentication, the use of Password Authentication Protocol (SRP) prevents direct transmission of the password. Thus, only the password verifier is stored on the local computer.
Checking TeamViewer IDs
Identifiers are automatically generated in TeamViewer based on the characteristics of the software and hardware. TeamViewer servers check the validity of the ID before every connection.
Brute-force attack protection
Potential customers interested in TeamViewer security regularly ask about encryption. Most frightening is the risk of a third party tampering with the connection or intercepting TeamViewer access data. However, in practice, fairly primitive attacks are often the most dangerous.
In the field of computer security, brute-force attacks are a trial and error method that allows you to guess the password that protects a resource. As the computing power of standard computers grows, the time required to brute force long passwords is constantly decreasing.
As a defense against such attacks, TeamViewer uses an exponential increase in the delay between connection attempts. Thus, 24 attempts now take 17 hours. The delay is only cleared after entering the correct password.
The TeamViewer protection mechanism protects clients against attacks from a single computer or from multiple (so-called botnet attacks) attacks in order to intercept access data for a specific TeamViewer ID.
TeamViewer ports
TCP / UDP port 5938
TeamViewer uses port 5938 for TCP and UDP connections, the main port through which TeamViewer works best. At the very least, your firewall shouldn't be blocking it.
TCP port 443
If TeamViewer is unable to connect via port 5938, it will try to connect via TCP port 443.
However, our mobile apps running on Android, iOS, Windows Mobile and BlackBerry do not use port 443.
Note. Port 443 is also used by custom modules that are created in the management console. If you are deploying a custom plug-in, for example through Group Policy, you need to open port 443 on the computers where the plug-in is deployed. Port 443 is also used for several other operations, including checking for TeamViewer updates.
TCP port 80
If TeamViewer is unable to connect via ports 5938 or 443, it will try to connect using TCP port 80. The speed on this port is lower and the connection is less reliable than on ports 5938 or 443, as this port uses additional service data, and in addition, it does not automatically reconnect when the connection is temporarily disconnected. Therefore, port 80 is only used as a last resort.
Mobile apps running on Android, Windows Mobile, and BlackBerry do not use port 80. However, our iOS apps can use port 80 if needed.
Android, Windows Mobile and BlackBerry
Mobile apps running on Android, Windows Mobile and BlackBerry can only connect on port 5938. If the TeamViewer app on your mobile device fails to connect with the message “Check your internet connection”, this is probably due to the blocking of this port by your mobile operator or your WiFi firewall / router.
Destination IP addresses
The TeamViewer software establishes connections to our main servers located around the world. These servers use several different IP address ranges that change quite often. Therefore, we cannot provide you with a list of the IP addresses of our servers. However, all of our IP addresses have PTR records set to * .teamviewer.com. You can use this information to limit the number of IP addresses through a firewall or proxy server.
