Share this
RMM Tool Vendor, TeamViewer says Segmentation Between Environments Prevented Widespread Attacks
by William Toll on Jul 1, 2024 7:44:00 AM
TeamViewer, a popular RMM (Remote Monitoring and Management) tool vendor, reported that its recent breach by cyberthreat actor Midnight Blizzard/APT29 resulted in limited damage, thanks to network segmentation architecture that prevented lateral movement across environments.
TeamViewer announced details of the breach this week, which had more than 600,000 customers globally on alert. In a statement on their “Trust Center” page, TeamViewer stated: “Following best-practice architecture, we have strong segregation of the Corporate IT, production environment, and TeamViewer connectivity platform in place. This means we strictly separate all servers, networks, and accounts to help prevent unauthorized access and lateral movement between environments. This segregation is one of multiple layers of protection in our ‘defense-in-depth’ approach.”
The investigation and incident response team for the attack compromised both TeamViewer employees and leading global cybersecurity experts. They determined the source of the June 26 attack as originating from the credentials of a standard employee account within the corporate IT environment.
Software Supply Chain Security Is Critical
This TeamViewer software supply chain attack demonstrates how threat actors can exploit even the most fortified systems by circumventing traditional detection methods through advanced techniques. The attackers are believed to be Midnight Blizzard/APT29, a nation-state-backed threat actor group associated with Russia’s Foreign Intelligence Service (SVR), which has been operating since 2008.
The attack underscores the importance of software supply chain security. TeamViewer acknowledges that it represents a significant, homogenous attack surface and vector for its global customer base of over 600,000. Remote Monitoring and Management (RMM) software is extensively used by corporate IT teams and managed service providers (MSPs) to connect to, monitor, and control computers, machines, and other devices across an organization or client endpoints.
RMM Tools As An Attack Vector
RMM tools have long been recognized as attack vectors. One of the most notable attacks was the Kaseya VSA ransomware attack (July 2021), which caused downtime for over 1,000 organizations. Other recent attacks leveraging RMM tools include ConnectWise ScreenConnect (2024), detailed by Huntress, an active vendor and MSP community member.
Unfortunately, ConnectWise ScreenConnect has been used during a spate of recent Blackcat ransomware attacks against healthcare providers, according to the FBI, CISA, and HHS. As a result of this attack, ConnectWise collaborated closely with their teams and the MSP community, making several changes to their incident response program, detailed by their CISO.
All these RMM attacks have prompted global authorities to collaborate actively, educating and providing guidance. Consequently, cybersecurity authorities from the United Kingdom, Australia, Canada, New Zealand, and the United States have released a joint advisory with CISA titled Protecting Against Cyber Threats to Managed Service Providers and their Customers Alert Code AA22-131A, along with a specific advisory for Protecting Against Malicious Use of Remote Monitoring and Management Software Alert Code AA23-025A.
The Value of Microsegmentation and Identity-Based Zero Trust Architectures
RMM tools, like many others in the IT management stack, require organizations to be vigilant in understanding how to protect their attack surface and limit the potential blast radius from vulnerabilities in their “software supply chain vendors.” Properly deployed network segmentation and identity-based explicit trust architectures are essential components of a robust Zero Trust and defense-in-depth security program. This approach minimizes lateral movement by attackers, making it challenging for them to discover or access critical systems and data. Network segmentation also enables more granular control and monitoring of traffic between segments, facilitating quicker detection and response to malicious activities. By implementing identity-based policies that dynamically adjust to user and device contexts, organizations can bolster their security posture, reduce the attack surface, and better defend against sophisticated threats aligned with the MITRE ATT&CK framework.
Elisity can block lateral movement, minimize the attack surface, and prevent unauthorized data exfiltration by dynamically profiling and controlling access based on identities. This comprehensive approach ensures that even if an attacker breaches part of the network, their ability to propagate and cause further damage is significantly curtailed. With Elisity, organizations can enhance their security posture, safeguard critical assets, and maintain network integrity, thereby ensuring business continuity and resilience against future threats.
Request a demo to see how Elisity can greatly accelerate your microsegmentation efforts.
Share this
- Blog (30)
- Cybersecurity (13)
- Zero Trust (12)
- Enterprise Security (10)
- Identity (5)
- Elisity (4)
- Enterprise Architecture Security (4)
- Network Security (4)
- Remote Access (4)
- microsegmentation (3)
- Black Hat (2)
- Identity and Access Management (2)
- blogs (2)
- Adaptive Trust (1)
- MITRE (1)
- News (1)
- Software Supply Chain Security (1)
- case study (1)
- cyber resilience (1)
- December 2024 (1)
- November 2024 (5)
- October 2024 (7)
- September 2024 (5)
- August 2024 (3)
- July 2024 (4)
- June 2024 (2)
- April 2024 (3)
- March 2024 (2)
- February 2024 (1)
- January 2024 (3)
- December 2023 (1)
- November 2023 (1)
- October 2023 (2)
- September 2023 (3)
- June 2023 (1)
- May 2023 (3)
- April 2023 (1)
- March 2023 (6)
- February 2023 (4)
- January 2023 (3)
- December 2022 (8)
- November 2022 (3)
- October 2022 (1)
- July 2022 (1)
- May 2022 (1)
- February 2022 (1)
- November 2021 (1)
- August 2021 (1)
- May 2021 (2)
- April 2021 (2)
- March 2021 (3)
- February 2021 (1)
- November 2020 (2)
- October 2020 (1)
- September 2020 (1)
- August 2020 (3)
No Comments Yet
Let us know what you think