
FireEye confirms APT41 hacked TeamViewer, may have accessed billions of devices - miles
https://twitter.com/cglyer/status/1182413194360508419
======
AlphaWeaver
Reposting what TheKnack said [0] as a top level comment, since this is
important.

> The Chief Security Architect of FireEye posted this Tweet last week
> clarifying that there isn't a new compromise of TeamViewer, and the social
> media posts suggesting there is are misinterpreting a slide from a
> conference presentation.

>
> [https://twitter.com/cglyer/status/1183210046093758464](https://twitter.com/cglyer/status/1183210046093758464)

[0]:
[https://news.ycombinator.com/item?id=21308518](https://news.ycombinator.com/item?id=21308518)

~~~
geoah
There is a more official statement from TV as well.
[https://community.teamviewer.com/t5/Announcements/FireEye-
cl...](https://community.teamviewer.com/t5/Announcements/FireEye-
clarification-regarding-misleading-Social-Media-post/td-p/73804)

~~~
ddtaylor
> TeamViewer is safe to use

How often has that been true? TV has been hacked more than once AFAIK.

~~~
egeozcan
TV gives full access to computers through passwords and it seems it's not
brute-force resistant. Think about how long an SSH server with password
enabled and no autoban would last in the open...

Edit: nevermind, the attack is apparently through some malware.

~~~
gyaru
> Think about how long an SSH server with password enabled and no autoban
> would last in the open

quite long? unless you're using a bad password I don't really see any risk
other than filling logs from password attempts.

------
miles
The article should've linked to this tweet[0] by the same researcher instead:

> "APT41 compromised company behind TeamViewer - which enabled them to access
> _any_ system with TeamViewer installed"

[0]
[https://twitter.com/cglyer/status/1182413194360508419](https://twitter.com/cglyer/status/1182413194360508419)

~~~
dang
Ok, we changed the URL to that from
[https://www.securitynewspaper.com/2019/10/14/fireeye-
confirm...](https://www.securitynewspaper.com/2019/10/14/fireeye-confirms-
that-apt14-group-hacked-teamviewer-attackers-would-have-accessed-billions-of-
devices/). Thanks!

~~~
ryanlol
The title could still be a bit better, the story is about the _ability_ to
access billions of devices. There is zero indication that billions of devices
were actually accessed.

~~~
dang
Sorry for the belated reply; I just saw this. I suppose "may have accessed"
was intended to communicate that in the title?

~~~
ryanlol
I'm sure it was, I'm just not so sure that it does a very good job at that.

I feel like the most obvious interpretation of this is "APT41 possibly
accessed billions of devices" which is incorrect, they had the ability but it
is known that they only accessed a rather limited set of devices.

I'm not sure what would've been a better title though, especially given the
length restrictions" ¯\\_(ツ)_/¯

------
flaxton
MeshCentral is open source, runs on Linux and works with Windows, Mac and
Linux clients for one-off support and unattended remote control...

~~~
VvR-Ox
Thank you for the hint, I used AnyDesk (think it was built by people who
worked at TV) but I'd enjoy an open source solution even more if it does what
it should.

~~~
close04
I've been using MeshCommander/MeshCentral (and their older tools like Open
MDTK) since the first public versions, both for vPro/AMT related management
tasks, and remote control. I'm very happy with them but I certainly won't rely
on the assumption that they can't be hacked. With enough "motivation" an
attacker has plenty of targets on the logistics chain where a vulnerability
can be introduced (in the code, in the installer, etc.).

------
kuon
Speaking of TeamViewer, do you know a good open source alternative that I can
self host (I mean self host the relay server for NAT traversal). That is as
easy to use? Works on windows, mac and linux? It should also be installable in
a few slick with no network configuration required.

~~~
jszymborski
I haven't tried this, but I imagine a situation where computer A uses SSH to
connect to VPS B and computer C connect to VPS B using SSH. If both SSH
connections port-forward a VNC port, you can use VNC.

~~~
kuon
Yes technically it could work, but I cannot ask the users to use SSH and
configure VNC. The force of team viewer is that you download it, open it, and
give number over the phone and it works.

~~~
EquallyJust
Chrome remote desktop works pretty well

~~~
dhekir
But for remote control, it stops after every few minutes, asking the
"controlled" user to click on a button to continue. Not so practical in a few
situations.

~~~
pixl97
What do you mean? I've never had it do that.

~~~
dhekir
It always happens for me when accessing a Linux machine remotely. I can't find
a screenshot now, so the next time I do it, I'll take one. It seems to be a
security measure, to prevent someone from sharing remote access and then
forgetting about it afterwards, but it makes for terrible usability.

------
r00fus
> This group of hackers uses highly sophisticated malware variants, primarily
> developed for espionage, so we consider it unlikely that any State is
> sponsoring its operations,” Glyer says.

> The web application security expert adds that, based on detected activities
> and attack methods, in addition to the unusual interest that APT41 has shown
> in attacking the video game industry, its attacks could not be politically
> motivated; instead, they’re focused on economic gains.

I’d like to know how can one simply assume this given a potential payoff of
billions of devices...

~~~
pryce
Especially given that the "Video Game Industry" probably represents a pretty
large group of heterogenous, idiosyncratic chat protocols, which I certainly
would be interested in if I were the Chinese Govt.

------
xellisx
Is this from the 2016 hack or a new one?

~~~
TheKnack
The Chief Security Architect of FireEye posted this Tweet last week clarifying
that there isn't a new compromise of TeamViewer, and the social media posts
suggesting there is are misinterpreting a slide from a conference
presentation.

[https://twitter.com/cglyer/status/1183210046093758464](https://twitter.com/cglyer/status/1183210046093758464)

------
zaroth
There is an ongoing trend the last several weeks of highly sensationalized
cybersecurity incidents being mis-reported and ending up being nothing.

Not sure if it’s just a cluster of fuckups or if something is contributing to
the uptick in false reports. But add this one to the list.

------
rurounijones
So I use TV for occasional family support.

Were machines vulnerable with only Teamviewer:

1\. Installed but not being used? 2\. Only when being used (i.e. ask family
member to fire it up and give the connection info)

~~~
giancarlostoro
If the software is not running when closed (system process) then it should
mostly be fine.

~~~
rurounijones
Yeah, you never obviously know these days if there are background services
running.

------
jsjohnst
The article doesn’t give me any confidence in their reporting and is a site
I’ve not heard of, so I’m feeling it’s a bit suspect. Anyone have a better
source?

------
miles
Site is currently unresponsive. Cached version:

[http://archive.is/bklNU](http://archive.is/bklNU)

~~~
m463
Has anyone noticed that archive.is has pretty apalling dns-based tracking?

~~~
drcross
Can you explain what you mean?

~~~
nyolfen
[https://news.ycombinator.com/item?id=19828317](https://news.ycombinator.com/item?id=19828317)

~~~
m463
no, I meant the pixel.archive.is stuff

------
xvector
TeamViewer devs are especially to blame for this. You can’t install it without
admin permissions even if you just want to control another desktop. Unless you
manually extract the .app from the .pkg, in which case it works fine.

Anyways, this isn’t the first time TeamViewer has been hacked. Wonder what
their beef is against E2EE between connected computers.

~~~
Intermernet
On Windows it can be used by a standard user without being installed. It's
much more difficult to do this on macos. Even on Windows there are dark
patterns that make this difficult, but it can be done.

------
Exuma
How do we tell if we are affected? Also, how could it do anything if TV isn't
open?

~~~
badrabbit
This is from 2016. It's hard to say how you can tell without knowing what
techniques were used against you specifically,if you have FireEye's network or
endpoint products (or any other major vendor) they would provide coverage for
any remnants of compromise by that threat actor.

------
neonate
[https://web.archive.org/web/20191020150307/https://www.secur...](https://web.archive.org/web/20191020150307/https://www.securitynewspaper.com/2019/10/14/fireeye-
confirms-that-apt14-group-hacked-teamviewer-attackers-would-have-accessed-
billions-of-devices/)

