A vulnerability has been discovered in remote desktop connection application “TeamViewer” that can allow an attacker to steal the login information (username and hashed password) of a user. This can allow the attacker to crack the stolen password online or use it for additional malicious activity. TeamViewer has released patches for this vulnerability and all users are advised to update as soon as possible.
Technical detail and additional information
What is the threat?
A vulnerability has been discovered in the popular remote desktop connection application “TeamViewer” that can allow an unauthenticated remote attacker to steal the username and hashed password of the victim. An attacker can embed malicious HTML code on a website that, when clicked, will automatically launch TeamViewer’s Windows desktop application and start a remote server message block (SMB) share. This will ultimately result in the victim’s computer sharing the user’s username and hashed password, which can then be either cracked offline or relayed for another malicious purpose. If the password is ultimately cracked, the attacker would then have the complete login information for the victim’s account.
Why is this noteworthy?
As with the many other brands remote desktop connection software, there has been a sharp increase in the number of users utilizing TeamViewer daily. With this increase in potentially vulnerable users, malicious actors are subsequently finding new ways to exploit them. In addition to the large number of potentially vulnerable devices that could be impacted, it is also extremely easy for a threat actor to configure a website to perform this attack. The exploit can effectively be performed automatically after configuration, as any traffic to this compromised website will harvest the credentials of the victim. It is also noteworthy that this vulnerability has not been witnessed being actively exploited at this time.
What is the exposure or risk?
When exploited, this vulnerability will send the victim’s credentials (NTLMv2 hashed password and the system’s username) to an attacker-controlled host. From there, there are two primary uses for these credentials: cracking the stolen password or using that information in something like a relay attack. Ultimately the stolen credentials can be used to gain access to the victim’s machine, and from there the attacker has the ability to do whatever they would like (within the bounds of the stolen account’s permissions).
What are the recommendations?
TeamViewer has released a patch for this vulnerability and all users are strongly encouraged to update to this new version as soon as possible.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.