IT administrators allow remote access software like Zoho Assist, TeamViewer VNC Connect, Windows RDP and AnyDesk to help employees do their work away from the office.
Unfortunately, those products can also be useful to hackers, who try to leverage poorly-secured applications like these on computers to also get (unapproved) access into enterprise networks. Which is why these utilities have to be locked down.
The latest example of failing to do that comes in a report from researchers at Huntress, who recently discovered that two endpoints at unnamed organizations had been encrypted with ransomware through compromised TeamViewer software.
Logs suggest the attacker in each case was the same, Huntress staff said in a blog. On both endpoints, the initial ransomware deployment started with a DOS batch file run from the hacked user’s desktop.
Fortunately, security software on one computer limited the number of files that were encrypted. And in neither instance was there any indication the threat actor conducted reconnaissance beyond the impacted endpoint, nor attempted to move laterally to other endpoints within the infrastructure.
There have been several reports of attackers using TeamViewer and other remote access tools to their advantage. In December, Microsoft disabled Windows App Installer because threat actors were using it to trick people trying to download legitimate versions of TeamView, AnyDesk and other utilities.
Last summer, cybersecurity agencies from seven countries warned that the LockBit ransomware gang either leveraged existing installations of TeamViewer and other tools or added them to compromised IT systems.
“Threat actors look for any available means of access to individual endpoints to wreak havoc and possibly extend their reach further into the infrastructure,” Huntress warned, which is why IT administrators need a thorough inventory of software under their control so they can apply security policies.