![]() As an example, let’s say that your employees use TeamViewer for remote connections during their normal 08:00-17:00 UTC work schedule. This information is not only useful for overall visibility of TeamViewer connections, but also for the timing of these connections. The long connection of 14h:24m:00s highlighted in the red box is from when a remote connection was established and left connected. This was installation only, no remote connections were made by the user and the application was left alone. The long connection of 46h:04m:28s highlighted in the green box is when the TeamViewer application was installed on the host. ![]() Does this mean this is evil? Not necessarily, however it brings it to our attention as connections that should be investigated.Īnother method for viewing TeamViewer use within AC-Hunter is in the Long Connections module: Notice the consistent pattern of connections within the bottom hourly histogram graph. The traffic patterns observed look very similar to command and control traffic. The traffic pattern and beaconing activity can be viewed clearly using AC-Hunter.ĪC-Hunter has flagged these communications as a potential threat and has scored a strong beacon signal of 82.60% beacon conformity. We have captured the network traffic generated by running TeamViewer, both at “idle” and being used as a remotely accessed computer system. In this TeamViewer lab test, we are connecting to our internal host at 192.168.99.52 from a remote system through the TeamViewer application. If your network environment does use the TeamViewer application, monitoring your network traffic has increased importance pertaining to these specific communications. If your network environment does not use the TeamViewer application, monitoring your network traffic for this specific attack vector becomes very clear if you witness any communications to or from TeamViewer domains or TeamViewer owned IPs, those connections should be investigated. However, our focus here is upon the network traffic and indications of nefarious communications. There will continue to be discussions and increased hardening measures concerning internet-facing applications such as these. This does not entirely solve the problem, but at the least, makes the password harder to solve. This can be easily changed by the user to anything desired and using a minimum of 16-characters of password length is a good start. By default, TeamViewer generates a random 6-character password for remote connections. One of the quickest and easiest defenses to this is to implement strong and long application passwords. A good number of these application compromises are gained by cracking user credentials. ![]() ![]() The most recent public disclosure of which happened only days ago by an attacker that gained access through the TeamViewer application and attempted to poison a Florida city’s water supply by manipulating an industrial control system: Historically, there have been many systems and networks compromised using TeamViewer as an entry point. Because of its wide-spread use and powerful features, it has become a popular target as an attack vector to compromise network assets. It is a useful and widely used platform to allow users remote access to computer systems. TeamViewer is a proprietary software application for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers. It should be stated at the outset that TeamViewer is NOT malware. Remote Access as a Command and Control Channel MITRE Tactics: TA0007 Discovery, TA0006 Credential Access, TA0011 Command and Control
0 Comments
Leave a Reply. |