Skip to content

Inside the TeamViewer Attack:
Segmentation Prevented Threat Propagation

Effective network segmentation can be the difference between a contained breach and a full-scale security disaster.

On June 26th, the Teamviewer team discovered an irregularity on their IT environment. Luckily no customer was affected. In this article we’re going to discover how did the Teamviewer team manage to contain the breach and protect all their customers.

How did it happen?

TeamViewer realized they were hacked due to compromised credentials of an employee account within their IT environment. The company instantly recognized the suspicious activity, and attributed the attack to APT29, also known as Cozy Bear or Midnight Blizzard. This hacking group has a history of performing sophisticated cyber-espionage attacks, including the famous SolarWinds supply chain attack which is one of the most impactful incidents in recent history​ (18000 customers were affected).

The hackers gained access using stolen credentials, emphasizing a vulnerability in the handling of employee accounts. However, TeamViewer assured that the attack was contained within its corporate IT network, and no compromise of any customer environment.

What were the attack consequences?

  • Operational disruption: Even if customer services had not been affected, the attack led to substantial operational disruptions in the TeamViewer’s internal corporate IT environment. The urgent reaction required isolating affected systems and conducting thorough investigations, which held back regular business activities.
  • The compromise of employee’s data: The hackers accessed and copied critical employee information such as names, corporate contact details, and encrypted passwords. This increases the risk of leveraging this information to perform further attacks.
  • Financial losses: The breach had a significant financial impact. Right after the announcement, TeamViewer’s stock price dropped by 10% representing a significant hit to the company’s market reputation and financial status.
  • Reputational damage: Even though the hack was contained, and it didn’t affect end users, it certainly raised fears about using remote desktop access tools that are similar to TeamViewer. On the other hand, the U.S. Health Information Sharing and Analysis Center (Health-ISAC) issued a bulletin that warns about the continuous exploitation of TeamViewer by threat actors.

The reasons why customers were not affected

Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place. This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach.

TeamViewer stated that their end users didn’t get affected by the attack due to their segmentation security strategy. Network segmentation consists of dividing a network into isolated segments to limit the spread of an attack. Proper segmentation guarantees that even if one segment of the network is compromised, the hacker will not be able to move laterally to other segments.

In the case of TeamViewer, their ability to contain the breach within the corporate IT environment and prevent it from affecting customer systems is a perfect example of effective network segmentation that prevents lateral movement. They maintained a clear separation between their internal network and customer-facing systems.

Now, what do we learn from the Incident?

This incident shows us that we can’t stop cyberattacks, but we can build an effective security strategy that contains the breach. In the case of TeamViewer, segmentation and blocking lateral movement changed the rules of the game.

How do you block lateral movement?

Access Controls: Ensuring that users have only the necessary access to perform their jobs by setting permissions.

Network Segmentation: Dividing the network into isolated segments.

Continuous Monitoring: Implementing automatic detection and response to suspicious behaviors.

What others security measures do you need to avoid and contain a breach?

Multi-Factor Authentication: Implementing multi-factor authentication (MFA) can significantly reduce the risk of credential-based attacks. Even if an attacker obtains a user’s password, they will still need a second form of verification to gain access.

Regular Security Audits: Conducting regular audits and penetration testing helps identify and remediate vulnerabilities before it is too late.

User Training: Educating employees about cybersecurity best practices and providing user friendly security tools to make sure that employees will actually use them.

Incident Response Planning: Having a well-defined incident response plan ensures that an organization can respond effectively to security incidents, therefore minimizing recovery time.

How can you ensure a robust access security strategy with cyberelements?

The TeamViewer attack is a reminder that no organization is immune to cyber threats, emphasizing the need for robust network segmentation, access management, and Zero Trust architecture.

This why cyberelements provides an access security platform based on a Zero Trust architecture.

Double Barrier Architecture for Advanced Network Segmentation:

Based on two components: The Controller and The Edge Gateway securely connects users only to the resources needed to perform their activity.

The Edge Gateways: This unique architecture provides a Gateway per (V)LAN to keep complete separation. Each one of them will then be connected to the organization’s tenant in The Controller where the access control policies are enforced.

The Controller: In which we can have multiple tenants based on your separation. Each tenant will connect the user to the relevant Gateway and therefore the relevant resource.

This unique architecture makes sure that we are running on outgoing traffic flow:

When a user requests a connection from The Controller, a session with the relevant resource will be established through the relevant Edge Gateway and the session will cross the tunnel between the Edge Gateway and The Controller on one hand, and between The Controller and the end user device on the other hand.

Access Permissions:

Now that you segmented your networks, you need to stop any lateral movement within the network from one resource to another. By setting up access policies, cyberelements allows you to connect your users only to the resources that they need. For critical resources, you can add an extra layer of security by giving access for a limited period of time – Just-in-Time Access.

At cyberelements, we believe that granularity is a key for robust access security strategy and this why we provide a large number of possibilities to set your own rules and permissions.

User Experience:

A cybersecurity solution that is burden for users will not be adopted properly by your employees. Simplicity here is a key.

cyberelements users get access to their resources from a web portal. They only need to authenticate to the platform with MFA and our SSO technology will make sure to give them seamless access to their applications.

On the other hand, the cyberelements admins can manage all their users, LANs, and resources from a single admin console.

At the end, history has been repeatedly showing us that hackers will always try to perform cyberattacks. For instance, the latest attack of TeamViewer is not an isolated case. Remote access tools have always been targeted by hackers since they provide direct access to systems. ​It is every organization’s responsibility to ensure its security by not only preventing breaches but also preventing any threat propagation.

It’s time to protect your organization from cybercriminals, book a meeting with our experts and let’s discuss your access security: Book a meeting now!