Illustration: JMiks | Shutterstock
Threat actors used TeamViewer, a remote connectivity software, as an initial access point to deliver ransomware in two separate incidents. Cybercriminals leveraged TeamViewer connections in both incidents to establish remote access to the targeted endpoints, bypassing traditional network defences and gaining direct access to the systems.
The first incident, characterised by minimal ransomware encryption, has drawn the attention of cybersecurity researchers due to its unusual nature. Unlike traditional ransomware campaigns that rapidly escalate, these attacks were restrained, targeting only a select number of canary files.
While minimising immediate questions, this deliberate strategy raises questions about the motives and strategies of the threat actors involved.
One noteworthy aspect of these incidents is the lack of further malicious compromise activities beyond the initial endpoint compromise.
“In neither instance was there any indication of the threat actor conducting reconnaissance activities beyond the impacted endpoint, nor attempting to move laterally to other endpoints within the infrastructure,” the researchers noted.
Despite gaining access to the targeted infrastructure, there were no indications of reconnaissance efforts or lateral movement to other endpoints — a departure from typical ransomware attack patterns that often involve extensive network exploration.
Further analysis by cybersecurity experts revealed that in another instance, robust security software thwarted the threat actor’s actions, preventing the attack from spreading beyond the initial compromise. This defensive success highlights the effectiveness of proactive cybersecurity measures in mitigating evolving threats.
Investigations into the initial access method provided insights into the attackers’ tactics. Examination of log data from TeamViewer revealed key details about the threat actor who gained entry to the compromised endpoints.
In both incidents, initial access was achieved through remote access connections. For instance, log entries from the affected endpoints showcased distinct access patterns. Some logs indicated repeated access by authorised users, hinting at the potential compromise of privileged credentials.
Additionally, intermittent access patterns and significant gaps between login sessions suggested sporadic reconnaissance activities by the threat actors.
The ransomware deployment process on the compromised endpoints followed a consistent pattern, typically involving the execution of malicious scripts or batch files. However, as researchers noted, the impact varied significantly between the two incidents. The batch file, upon execution, triggered the specific rundll32.exe command.
This command invoked a malicious DLL (Dynamic Link Library) file, initiating the encryption process.
While one endpoint experienced limited encryption, confined to files in its system, another endpoint’s security posture proved resilient. Installed security measures promptly detected and blocked the ransomware’s attempts to encrypt files, preventing further damage.
Researchers have urged users to continue monitoring the system, implement layered security, and have a well-defined incident response plan to protect themselves.
In the News: SpaceX tightens enforcement on unauthorised Starlink usage worldwide