![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
theweaselkingTeamviewer has been hacked and is being targeted by thieves who are logging in, stealing bank information, and installing ransomware.
If you have Teamviewer, uninstall it immediately and check all your shit.
If you have Teamviewer, uninstall it immediately and check all your shit.
(no subject)
Date: 2016-06-02 12:14 am (UTC)(no subject)
Date: 2016-06-02 12:35 am (UTC)There's a bunch of things that might have happened to explain WHY. More important is the WHAT: Teamviewer users are getting their machines pwnt and their stored passwords, saved credentials, and live sessions stolen, and having ransomware installed.
(no subject)
Date: 2016-06-02 06:36 am (UTC)(no subject)
Date: 2016-06-02 12:39 pm (UTC)(no subject)
Date: 2016-06-03 01:37 am (UTC)There is zero proof of this. So far i've found the following suggested;
1. False flash update that re-writes Teamviewer's ini file.
2. Poisoned Full Client from an unknown - but major - download site (not teamviewer.com).
3. Trojan - http://vms.drweb-av.de/virus/?_is=1&i=8161714
4. Pretty much uniform password re-use and known site hacks with people's emails being listed on https://haveibeenpwned.com/
1 and 2 are fairly bad - but aren't actually compromising Teamviewer. 3 is a generic Trojan that is utilising Teamviewer. 4 is the most likely.
Now that isn't to say Teamviewer's security model is super great - If you have an ID and a Password, you have console access to a PC. If the machine is not locked at idle (or TV Session end) this will give a user access into the server/workstation with the current users credentials/privileges.
I've requested that they remove the requirement for an unattended password, and link it to an Auth'd TV account - and require that the TV account is auth'd via 2FA. This has been taken on board by their feature team (hah!).
(no subject)
Date: 2016-06-02 06:34 am (UTC)People have been suggesting that TV has been hacked for about 3 months now. They responded previously with the following;
https://www.teamviewer.com/en/company/press/statement-on-potential-teamviewer-hackers/
It reads as pretty arrogant, but they are German - so you can lose that message.
FWIW I have ~1400 endpoints covered by Teamviewer, and have been a TV user since 5 (we're upto 11 now). We've not seen any contact requests or evidence of rogue TV hackings.
Thats not to say its not possible - but certainly there isn't enough evidence to say they've been hacked - not to mention yesterdays problem was a result of DNS fuckery, not a hack.,
Note: I will whinge about TV to the high hell - I have problems almost daily with its client dying and not allowing remote connection on certain machines, requiring for the agent to be reset.before you can initiate remote support again. But i've got no solid evidence in my patch they've been hacked.
(no subject)
Date: 2016-06-02 12:43 pm (UTC)(no subject)
Date: 2016-06-02 09:48 pm (UTC)And like I said - I haven't seen it across ~1400 endpoints we use from an MSP perspective.
TV - or any RMM tool really - would be an excellent choice to do this kind of thing.
Reddit detectives are go - https://www.reddit.com/r/sysadmin/comments/4m8o7i/im_86ing_teamviewer_via_gpo_maybe_you_will_find/d3tin1o