Image

Image

Image

"The analysis of TeamViewer traffic logs showed that someone had remotely executed surprise.exe process on computers, which resulted in malware injection behind the scenes," Balaban explains in a post. "Furthermore, the researchers discovered that the user ID was identical across most of the unauthorized remote connection sessions, but not all. It’s therefore premature to state for a fact that one account (479440875) was used to infect systems. The scariest thing is that the strange traffic behavior had been taking place for months in some of the reported cases."To get to the bottom of this ransomware campaign, Balaban recommends that TeamViewer attempt to identify the suspicious account by its user ID.
UPDATE (03/21/2016)
Axel Schmidt, Public Relations Manager at TeamViewer, has contacted The State of Security to clarify this incident:"We looked thoroughly at the cases that were reported to us. And according to our investigation, the underlying security issues cannot be attributed to TeamViewer," he told The State of Security in an email. "So thus far we have no evidence that would suggest any potential security breach of TeamViewer that attackers exploit. Furthermore, a man-in-the-middle attack can nearly be excluded because of TeamViewer’s deployed end-to-end encryption. Apart from that, we would like to state, that none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer."Schmidt has also emphasized that "careless use," or the use of the same password across multiple online accounts, explains nearly all of the cases that TeamViewer's teams have examined. With that in mind, he recommends that all TeamViewer users download the software only through official company channels; protect all of their web accounts with strong, unique passwords; protect their TeamViewer accounts specifically with two-factor authentication; and determine that their device/computer has not already been infected by malicious software.