🧵on stealing TeamViewer credentials

Many organizations have systems with TeamViewer actively running; some know it and manage it correctly, other have no idea it is running or where. The latter probably have multiple versions #redteam #blueteam #purpleteam #ThreatThursday 1/10
I started looking deeper into TeamViewer when @snlyngaas reported that a Florida water facility had been breached. A malicious actor used TeamViewer to login and change the levels of sodium hydroxide. The plant operator say this and no damage was done cyberscoop.com/florida-water-… 2/10
For those that speak @MITREattack we are talking about T1078 Valid Accounts: attack.mitre.org/techniques/T10…
But how were these credentials obtained? We don't know but @brysonbort spoke with #RSAC about it if you want more on the Florida water plant breach: 3/10
Back to TeamViewer and stealing credentials. As I researched this more, I learned that previous versions of TeamViewer exposed credentials in the registry. While the credentials are encrypted there is a known decryption key: whynotsecurity.com/blog/teamviewe… 4/10
There was also a vulnerability in 2020 that TeamViewer fixed in CVE-2020-13699 that forced a TeamViewer end user to send their NTLM credentials: nvd.nist.gov/vuln/detail/CV… 5/10
From the #redteam perspective, it comes down to identify if TeamViewer is on the system and what version. Based on that, you can steal credentials from registry or force the TeamViewer splash screen to the front and take a screen shot. 6/10
The queries fit in a Tweet along with the screenshot:


reg query HKEY_CURRENT_USER\SOFTWARE\TeamViewer\MachineFallback

reg query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer

7/10 Image
#BlueTeam not sure if you have TeamViewer?
- Scan all hosts for TeamViewer.exe process
- Check for the TeamViewer service
- Look for the registry keys mentioned in this post
- Observe network traffic to confirm TeamViewer is not being sent

If you want to see the entire attack chain, check out @dan_gunter and @Tom_VanNorman at #HacktheCapitol on May 4 or at #RSAC icsvillage.com/hack-the-capit…

We will update the blog after the conference embargo. @ICS_Village #cybersecurity #breach #ICS #cyberattack
10/10 Image

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Jorge Orchilles | Unicon August 20

Jorge Orchilles | Unicon August 20 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jorgeorchilles

16 Aug 20
Reading the NSA and FBI report of Russian GRU 85th GTsSS using the Linux based Drovorub Malware. What stands out to me the most (so far) is the kernel level rootkit (stealth capabilities). All the other features seem pretty simple to emulate for Linux.

There are 4 modules: server, client, kernel-module, and agent. I like how they differentiate between client and agent where the agent does not include the kernel-module and is more for relaying and data staging. The server uses MySQL back-end, similar to other C2 frameworks.
"The name Drovorub comes from a variety of artifacts discovered in Drovorub files and from operations
conducted by the GTsSS using this malware; it is the name used by the GTsSS actors themselves. Taken together,
they translate to “woodcutter” or “to split wood.”
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!