Remote access tool TeamViewer has been exploited in new ransomware attacks for initial network access and LockBit ransomware-based encryptor deployment, reports BleepingComputer.
Attempts to compromise two endpoints via TeamViewer were conducted by a single threat actor through the deployment of a DOS batch file on desktop, which facilitated the execution of a DLL payload, although the infections were either contained or averted, according to a Huntress report. No ransomware operation has been officially associated with the intrusions but researchers said that the payload resembled encryptors for the LockBit ransomware based on the exposed LockBit Black builder. Meanwhile, TeamViewer has attributed most unauthorized access cases to lapses in default security settings.
"This often includes the use of easily guessable passwords which is only possible by using an outdated version of our product. We constantly emphasize the importance of maintaining strong security practices, such as using complex passwords, two-factor-authentication, allow-lists, and regular updates to the latest software versions. These steps are critical in safeguarding against unauthorized access," said TeamViewer.
TeamViewer exploited for ransomware deployment
Remote access tool TeamViewer has been exploited in new ransomware attacks for initial network access and LockBit ransomware-based encryptor deployment, reports BleepingComputer.
Attackers purporting to be Royal Mail distributed malicious emails about a failed package delivery with a PDF attachment that included a link redirecting to a Dropbox-hosted ZIP file, which then facilitated the execution of Prince ransomware.
Such websites, which are operated under "AI Nude" and are advanced by black hat SEO techniques, promise the conversion of uploaded photos into deepfake nudes but display a link, which when clicked redirected to another site with the password and link to the password-protected Dropbox-hosted archive that contains the infostealer malware.
Both iOS and Android devices have been targeted with attacks involving the fake app dubbed "SB-INT," which lured victims into manually trusting the Enterprise developer profile before triggering the registration process that would seek additional information from victims.