On June 26, 2024, TeamViewer’s security teams detected irregularities in their internal development environment. Following this detection, their incident response team took over and identified an intrusion attributed to the APT29 / Midnight Blizzard group.
These attackers managed to obtain the username and password of one of the multinational company’s employees and exfiltrated data from the employee directory. The stolen passwords were encrypted but allowed access to the internal infrastructure of the company.
After further analysis, TeamViewer’s incident response teams confirmed that the attackers did not have access to production data or customer data. However, TeamViewer continues to conduct more in-depth investigations.
As a preventive measure, we recommend closely monitoring network traffic and logs related to TeamViewer usage within your information system, especially incoming flows from the TeamViewer infrastructure.
Additionally, the exfiltrated data from TeamViewer employees could enable attackers to impersonate some of them. Therefore, it’s essential to remain vigilant regarding communications that may come from TeamViewer employees or the publisher’s support service. Raising awareness among your employees could be beneficial.
Finally, if you have other remote access tools, consider using them instead of TeamViewer until the ongoing investigations are complete. This would completely cut off flows to the TeamViewer infrastructure. 🛡️
Documentation :
