Blackpoint Tackles TeamViewer and AnyDesk Threats in Government and Industrial Incidents 

Between November 06-13, 2024, Blackpoint’s Security Operations Center (SOC) responded to 658 total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. These incidents involved confirmed or likely threat actor use of:

• Attempted TeamViewer Incident.
• AnyDesk Incident.

In this blog, we’ll dive into the details of three select incidents, why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.

Topline Takeaways

• Industry target: Government
• Blackpoint SOC actions:
  • Isolated impacted devices
  • Contacted partner
• Attacker Information:
  • TeamViewer
  • Remote desktop protocol (RDP)
  • Publicly accessible virtual private network (VPN) portal
• Recommended mitigations:
  • Provide a dedicated software center.
  • Implement application controls.
  • Regularly audit both environment and endpoints.

Incident Timeline for 2024-11-11

Blackpoint’s MDR technology alerted our Active SOC to an RDP login from an unmonitored device for a user with a government partner to a monitored device. The threat actor then attempted to run the remote monitoring and management (RMM) tool TeamViewer; however, the activity was blocked by Managed Application Control (MAC).

Additional investigation revealed the threat actor attempted enumeration activity by using the Windows tool, net.exe, to query the local administrator group and user information. A review of the environment revealed a publicly accessible VPN portal, there is an even chance this was the initial access vector abused by the threat actor.

Due to the suspicious activity, including a lack of RDP activity from the observed user over the previous six months, Blackpoint’s SOC isolated all affected devices and reached out to the partner to provide information related to the incident.

More About TeamViewer

TeamViewer is a remote access and control software that allows users to connect to and control other computers and devices. TeamViewer is a legitimate tool used by organizations as it is capable of assisting with:

• Asset management
• Device monitoring; and
• Endpoint protection

Threat actors often find this type of tool attractive target and tool to use during cyberattacks due to the wide availability, ability to establish persistence, and the potential for blending into normal traffic.

APG Threat Analysis for TeamViewer

Blackpoint’s Adversary Pursuit Group (APG) predicts the continued use of legitimate RMM tools for persistent access to compromised devices over the next 12 months.

Blackpoint’s APG has identified at least four ransomware operations and five threat groups that have been reported to use TeamViewer in publicly reported incidents.

This assessment is supported by Blackpoint observed incidents, such as the August 30, 2024 incident impacting a healthcare partner, and external reporting detailing the use or targeting of RMM tools, including a June 2024 report of Russia-linked APT29 cyberattack targeting TeamViewer.

Mitigations

• Dedicated Software Center: Ensure employees only download software from monitored, approved sources.
• Implement Managed Application Control (MAC) for continuous monitoring and blocking of unapproved software.
• Regularly audit both environment and endpoints to identify potential rogue applications and potential old/unused accounts that should be removed.

Topline Takeaways

• Industry target: Industrials
• Blackpoint SOC actions:
  • Isolated impacted devices
  • Contacted partner
• Attacker methods:
  • AnyDesk
  • PsExec
• Recommended mitigations:
  • Implement strict controls on the use of scripting languages.
  • Employ least-privilege access controls.

Incident Timeline for 2024-11-13

Blackpoint’s MDR technology alerted to an admin account mounting network share ADMIN$ on a device of an Industrials partner. Immediately following, Blackpoint’s MDR alerted to the installation of the remote management tool AnyDesk on the device. No further malicious activity was identified.

Blackpoint’s SOC responded to the incident by isolating the affected device for lateral movement from the VPN IP pool and the anomalous AnyDesk installation and contacted the partner to provide details of the event.

More About AnyDesk

AnyDesk is a remote desktop application that can run in the cloud or on-premises and allows users to remotely access systems and transmit data between devices. The tool is used by many Managed Service Providers (MSPs) to provide remote assistance, system management, and monitoring to their end clients.

AnyDesk is an attractive tool for multiple threat actors and has often been observed being used to maintain persistence on a compromised device and to evade detection. Blackpoint’s APG has tracked at least 20 ransomware operations that have been reported to use AnyDesk.

APG Threat Analysis for AnyDesk

APG predicts the continued use of remote monitoring tools, such as AnyDesk, over the next 12 months for persistence. This assessment is supported by Blackpoint observed incidents, such as the September 14, 2024 and September 19, 2024 incidents with Industrials partners.

The assessment is also supported by external reporting of threat actors both using and targeting the AnyDesk software, such as the February 2024 report of attackers targeting AnyDesk. This highlights the continued use and targeting of remote management tools for persistence, supply chain attacks, and more.

Mitigations

• Implement strict controls on the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.
• Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions.

These incidents underscore the evolving tactics of threat actors and highlight the importance of layered defenses. By leveraging Blackpoint’s MDR technology and following these mitigation strategies, you can bolster your organization’s defenses against these types of attacks. Reach out to Blackpoint’s SOC team for tailored recommendations on how to enhance your cybersecurity posture.