TeamViewer Credits Network Segmentation for Rebuffing APT29 Attack

This week, TeamViewer said that while the Russian group APT29, aka Midnight Blizzard, managed to access its corporate network, the threat actors were limited to the company's internal IT network because of "strong segmentation" between its environments. Thus, no customers were affected.

In public statements on June 27 (reiterated today), the German maker of remote desktop software said, "[W]e keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our 'defense in-depth' approach."

Defense-in-depth is a set of basic techniques, including network segmentation, that the US government consistently urges people to implement. Others include network monitoring, multifactor authentication, and access control lists.

Even so, because of the potential mischief a bad actor with desktop access can wreak, TeamViewer users should up their security game, according to industry groups. The NCC Group, which originally issued a warning under an amber/limited classification but then changed it to green/public, advised its customers that, while awaiting final confirmation of the extent of compromise, they remove TeamViewer from their systems if possible and closely monitor hosts that had the application installed if not.

The Health Information Sharing and Analysis Center (H-ISAC) meanwhile issued similar advice to the healthcare sector, adding that organizations should implement two-factor authentication (2FA) and allowlists/blocklists to control who gets to access systems via TeamViewer.

Stakes are particularly high for remote access application security because of the legitimate access to users' systems such software provides. In January, Huntress reported that two hacking attempts started with TeamViewer instances, and there is a long history of attackers using remote desktop software to implant malware. The apparently limited impact of the latest incident shows the value of defense-in-depth techniques to limit the effect of intrusions.