TeamViewer on Thursday disclosed it detected an “irregularity” in its internal corporate IT environment on June 26, 2024.
“We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts and implemented necessary remediation measures,” the company said in a statement.
It further noted that its corporate IT environment is completely cut off from the product environment and that there is no evidence to indicate that any customer data has been impacted as a result of the incident.
It did not disclose any details as to who may have been behind the intrusion and how they were able to pull it off, but said an investigation is underway and that it would provide status updates as and when new information becomes available.
TeamViewer, based in Germany, is the maker of remote monitoring and management (RMM) software that allows managed service providers (MSPs) and IT departments to manage servers, workstations, network devices, and endpoints. It’s used by over 600,000 customers.
Interestingly, the U.S. Health Information Sharing and Analysis Center (Health-ISAC) has issued a bulletin about threat actors’ active exploitation of TeamViewer, according to the American Hospital Association (AHA).
“Threat actors have been observed leveraging remote access tools,” the non-profit reportedly said. “Teamviewer has been observed being exploited by threat actors associated with APT29.”
It’s currently unclear at this stage whether this means the attackers are abusing shortcomings in TeamViewer to breach customer networks, using poor security practices to infiltrate targets and deploy the software, or they have carried out an attack on TeamViewer’s own systems.
APT29, also called BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, and The Dukes, is a state-sponsored threat actor affiliated with the Russian Foreign Intelligence Service (SVR). Recently, it was linked to the breaches of Microsoft and Hewlett Packard Enterprise (HPE).
Microsoft has since revealed that some customer email inboxes were also accessed by APT29 following the hack that came to light earlier this year, per reports from Bloomberg and Reuters.
“This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor,” the tech giant was quoted as saying to the news agency.
Attack Officially Attributed to APT29
TeamViewer, in an update on Friday, attributed the attack to APT29, stating it targeted the credentials associated with an employee account within its corporate IT environment.
“Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action,” it noted in a revised alert. “There is no evidence that the threat actor gained access to our product environment or customer data.”
NCC Group, which first alerted of the breach via a limited disclosure owing to widespread use of the software, has recommended the removal of the software “until further details are known about the type of compromise TeamViewer has been subjected to.”