Risk
3/21/2013
12:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Hackers Eavesdrop Using Legitimate Remote Control Software

For a decade, "TeamSpy" cyber espionage campaign has used TeamViewer software already installed on PCs to eavesdrop on communications and steal data from targets in Eastern Europe.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Remote administration tool users beware: An online espionage group that's been operating for the past decade has been surreptitiously accessing legitimate TeamViewer remote administration tools already installed on PCs to remotely eavesdrop on targets.

That warning was sounded Wednesday by the Laboratory of Cryptography and System Security (CrySyS Lab) of the Budapest University of Technology and Economics in Hungary, which began investigating the espionage operation after being approached by the Hungarian National Security Authority, which detected related attacks targeting organizations inside Hungary. The two organizations have written a detailed report into the attacks, which they released Wednesday.

CrySys is well known in security circles for discovering the Duqu malware, as well as working with Kaspersky Lab to discover the complex Flame malware.

[ Twitter users must beware, too. Read MiniDuke Espionage Malware Uses Twitter To Infect PCs. ]

What's interesting about this newly discovered "covert cross-nation, cyber surveillance data theft and monitoring operation" -- in the words of a Kaspersky Lab blog entry published Wednesday -- is that instead of compromising targeted PCs with malware, it exploits the popular TeamViewer remote control, desktop sharing and file transfer software. The application and related services are free for non-commercial use, and count over 100 million users.

Dubbed the TeamSpy attacks, they remain ongoing, and have largely targeted Eastern European countries, including the Commonwealth of Independent States, which includes Russia. CrySyS said that the group behind the attacks seems to have been operating since at least 2004.

According to a CrySyS blog entry posted Wednesday, it first encountered evidence of the TeamSpy campaign when it studied recovered malware samples from November 2012, when a "Hungarian high profile governmental victim" was infected. Other high-profile victims it's identified include a Iranian high-technology firm with government ties, which was attacked in April 2010, as well as the NATO/EU embassy in Russia, a Russian industrial manufacturer, and French and Belgian research and educational organizations, all of which were successfully attacked in March 2013. Activists in Belarus also spotted attacks in 2012 that have since been tied to the TeamSpy campaign.

Information targeted by attackers has included Word documents, Excel spreadsheets, PDF files, PGP credentials and other files related to public-key cryptography, as well as filenames containing Georgian and Russian words for "secret" and "password." According to Kaspersky Lab, attackers also targeted "Apple iOS device history data from iTunes," as well as detailed information about operating systems and BIOS. Attackers could also log keystrokes and capture screenshots.

CrySyS Lab said that the types of files and documents targeted "indicates that they were looking not only for passwords, but also for cryptographic keys, which goes beyond attacks against ordinary users."

Who's behind the attacks? So far, information is scant. Much of the attack infrastructure appears to have been written in Russian. Furthermore, some of the command-and-control servers used in the attacks contained references to the politnews.org website, which CrySyS said was registered in the name of "Krepov Bogdan Serafimovich."

Security researchers have yet to detail exactly how targeted PCs running TeamViewer were compromised by attackers, other than to say that the infections appear to have resulted from a Windows installer -- built using NullSoft installer -- being executed. The two versions of this installer recovered to date were named "DSC.exe" and "TeamViewer.ico."

Those installers were used to drop malware onto compromised PCs. "The TeamSpy operations are supplemented by a variety of custom-built surveillance modules," including "reconnaissance and stealth modules," said Kaspersky Lab. Those modules have included a DLL file "that uses a vulnerability in TeamViewer v6 known as DLL-hijacking," it said. "If this file is stored in the same folder as TeamViewer.exe, then when TeamViewer is started it will show no warning, no popups, no systray icons, and will silently continue working, providing remote access to the infected machine."

But overall, Kaspersky Lab said the attack code wasn't highly sophisticated, and surmised that the choice of TeamViewer as an attack platform related to attackers' limited budget or expertise. "The toolset demonstrates clever, although lazy choices about legitimate software and certificate abuse, along with a minimal but effective effort at using simple and crude custom encryption algorithms," it said.

InformationWeek is conducting a survey on security and risk management. Take the InformationWeek 2013 Strategic Security Survey today. Survey ends March 29.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/2/2013 | 3:44:09 PM
re: Hackers Eavesdrop Using Legitimate Remote Control Software
That is some very scary information, and the fact the hackers have been doing this for over a decade. Let me further point out the by Kaspersky Lab stating that the code is not highly sophisticated kind of pushes my buttons. I mean if it was not highly sophisticated then how did it gets through and how was it able to infect various computers. Apparently it was a little highly sophisticated then their filters to pick it up.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.