Since its introduction, TeamViewer has been looked upon with some suspicion by the more paranoid Internet users out there. After all,if the software exists with the primary purpose of allowing group meetings with remote access to other people’s computers from anywhere in the world, what’s to say that someone else couldn’t use it for some downright evil mischief?
Now, there’s evidence to suggest that such skepticism was well-founded. A blog post from the Laboratory of Cryptography and System Security in Budapest, Hungary, claims it has uncovered “an ongoing high profile targeted attack affecting our home country” that appears to center around misuse of TeamViewer software.
“A distinct feature of the attack is the abuse of the legitimate TeamViewer remote access tool,” the blog writes. It appears that infected computers originally had “clean” versions of the TeamViewer software installed before they were modified afterward, allowing third parties to gain remote access to machines without their users’ knowledge. This means hackers would be able not only to observe (and record) keystrokes used by the legitimate users, but could also install further malware on the machines without detection.
“The collected evidence suggest[s] that attacks have been carried out in multiple campaigns,” the post continues, suggesting that the malware attacks predate the use of TeamViewer. The CrySyS lab traced attacks to as far back as 2010 definitively, but believes that hackers have started earlier, estimating a number in double digits in terms of how many have been carried out.
Nonetheless, the group believes that those behind the TeamViewer abuse have also been behind other similar attacks, noting that the “TeamBot/Sheldor campaign” – a cyber campaign against financial institutions – may have its roots in the same source.
It’s not just Hungary that finds itself faced with this problem, either. “The telemetry revealed additional high-profile victims outside Hungary,” the blog post notes. “Indeed, multiple victims were found in Iran, including victims at http://www.sashiraz.co.ir, which is an electronics company with government background.” Other international victims of the attacks include multiple research and educational groups in France and Belgium, an electronics manufacturer with government connections in the Middle East and a NATO state embassy in Russia. Additionally, an industrial manufacturer in Russia has also been compromised.
At this time, it remains unknown where the attacks originated from. Some tools used in the attacks ran to an unknown host on a subnet. Interestingly enough, the CrySyS lab team has also tracked other tools to hosts belonging to the Ministry of Foreign Affairs of Uzbekistan. But the most obvious question remains: Why Hungary, of all places?