The Health Information Sharing and Analysis Center (H-ISAC) issued a threat bulletin on June 27, alerting the healthcare and public health sector to active cyberthreats exploiting TeamViewer remote connectivity software. TeamViewer had warned that an APT hacking group breached its corporate environment in a cyberattack yesterday.
TeamViewer said in a statement that the intrusion was tied to compromised credentials of a "standard employee account” and that its corporate IT environment had been compromised. It added that the corporate network is independent of its production environment.
The threat actor tracked as APT29 is a Russian hacking group that has operated since at least 2008. This hacking group is associated with Russia’s intelligence agencies, the Federal Security Service (FSB) and Foreign Intelligence Service (SVR).
TeamViewer is prevalent inside healthcare and industrial organizations as a remote access tool used for updates and maintenance. Tools such as these are tempting targets for advanced actors, who use them to access compromised systems remotely. Given that APT29 may have access to TeamViewer’s network, organizations should be wary of such a supply chain attack. They have been a preferred tactic of advanced persistent threat actors such as APT 29. For example, incidents such as the SolarWinds attack and NotPetya demonstrated how attackers could push exploits and malicious code at scale through the software update mechanism to disrupt or manipulate victims’ systems.
In its threat bulletin, H-ISAC has addressed indicators of compromise and outlined some recommendations for users, including:
H-ISAC recommends users review logs for any unusual remote desktop traffic.
H-ISAC indicated that threat actors have been observed leveraging remote access tools.
The agency also recommends users enable two-factor authentication and use the allowlist and blocklist to control who can connect to their devices, among other measures.
In this incident, the unauthorized activity involved using the credentials of a standard employee account to access the corporate environment. Due to a rise in prolific cyber actors, this incident further emphasizes the growing dangers of leveraging remote access tools not specifically designed with CPS security requirements in mind.
For customers utilizing Claroty xDome for Healthcare (formerly Medigate), please follow the attached walkthrough to filter for all devices communicating over the Teamviewer protocol:
Security Alert: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (regreSSHion)
Rockwell Automation Users Urged to Disconnect ICS from Internet—Immediately
Black Basta Ransomware Used Against 500 Critical Infrastructure Organizations
Interested in learning about Claroty's Cybersecurity Solutions?