Reposting what TheKnack said [0] as a top level comment, since this is important.
> The Chief Security Architect of FireEye posted this Tweet last week clarifying that there isn't a new compromise of TeamViewer, and the social media posts suggesting there is are misinterpreting a slide from a conference presentation.
TV gives full access to computers through passwords and it seems it's not brute-force resistant. Think about how long an SSH server with password enabled and no autoban would last in the open...
Edit: nevermind, the attack is apparently through some malware.
The title could still be a bit better, the story is about the ability to access billions of devices. There is zero indication that billions of devices were actually accessed.
I'm sure it was, I'm just not so sure that it does a very good job at that.
I feel like the most obvious interpretation of this is "APT41 possibly accessed billions of devices" which is incorrect, they had the ability but it is known that they only accessed a rather limited set of devices.
I'm not sure what would've been a better title though, especially given the length restrictions" ¯\_(ツ)_/¯
Thank you for the hint, I used AnyDesk (think it was built by people who worked at TV) but I'd enjoy an open source solution even more if it does what it should.
I've been using MeshCommander/MeshCentral (and their older tools like Open MDTK) since the first public versions, both for vPro/AMT related management tasks, and remote control. I'm very happy with them but I certainly won't rely on the assumption that they can't be hacked. With enough "motivation" an attacker has plenty of targets on the logistics chain where a vulnerability can be introduced (in the code, in the installer, etc.).
Speaking of TeamViewer, do you know a good open source alternative that I can self host (I mean self host the relay server for NAT traversal). That is as easy to use? Works on windows, mac and linux? It should also be installable in a few slick with no network configuration required.
In case when remote control capabilities are not required, one could use jitsi (https://jitsi.org) video conferencing service which provides screen sharing capabilities (implementation depends on the web browser).
The main advantage is that there is no need to install any software neither on the remote machine nor on the local one.
There is a cloud hosted free version https://meet.jit.si which does not even require registration.
I haven't tried this, but I imagine a situation where computer A uses SSH to connect to VPS B and computer C connect to VPS B using SSH. If both SSH connections port-forward a VNC port, you can use VNC.
Yes technically it could work, but I cannot ask the users to use SSH and configure VNC. The force of team viewer is that you download it, open it, and give number over the phone and it works.
But for remote control, it stops after every few minutes, asking the "controlled" user to click on a button to continue. Not so practical in a few situations.
It always happens for me when accessing a Linux machine remotely. I can't find a screenshot now, so the next time I do it, I'll take one. It seems to be a security measure, to prevent someone from sharing remote access and then forgetting about it afterwards, but it makes for terrible usability.
This is what I use. In Unix it just works (TM). If you have an ssh client in windows, it also works with Remote Desktop via ssh port forwarding. In lieu of a (configured) ssh client on Windows, you can send the other person a self-contained Go program to do the job.
It sucks for multi monitor setups though, keyboard events, defocuses for no reason, unlocks the computer you rdp into, doesn't support scaling monitors.
I don't know how smooth it is, since I haven't tried it myself yet, but apparently Nextcloud talk can do it. I think it needs a browser extension but that might not be nearly as much of an imposition as vnc + ssh. It's also pretty easy to self host on a vps or other server of your own.
What protocol do you notice this with? In my experience, Microsoft RDP (the only protocol I know with configurable udp and tcp) with and without udp is imperceptible during typical use (eg. server administration).
I also use Guacamole for remote employee/vendor access (with public IPs hidden behind a proxy like an F5 or at least SSL+HTTP Simple Auth), but I haven't ever tried to configure it for remote support session sharing type stuff.
Is that how you're using it? If so, how is it set up?
> This group of hackers uses highly sophisticated malware variants, primarily developed for espionage, so we consider it unlikely that any State is sponsoring its operations,” Glyer says.
> The web application security expert adds that, based on detected activities and attack methods, in addition to the unusual interest that APT41 has shown in attacking the video game industry, its attacks could not be politically motivated; instead, they’re focused on economic gains.
I’d like to know how can one simply assume this given a potential payoff of billions of devices...
Especially given that the "Video Game Industry" probably represents a pretty large group of heterogenous, idiosyncratic chat protocols, which I certainly would be interested in if I were the Chinese Govt.
The Chief Security Architect of FireEye posted this Tweet last week clarifying that there isn't a new compromise of TeamViewer, and the social media posts suggesting there is are misinterpreting a slide from a conference presentation.
The article doesn’t give me any confidence in their reporting and is a site I’ve not heard of, so I’m feeling it’s a bit suspect. Anyone have a better source?
Fascinating, they embed a tracking pixel of:
http://onion.[SOME_NUMERIC_ID].pixel.archive.today/pixel.gif for Tor endpoint (archivecaslytosk.onion) connections but
https:// [YOUR_IP].[COUNTRY_CODE].[SHORT_ALPHANUMERIC_ID].[SOME_NUMERIC_ID].pixel.archive.is/pixel.gif for regular (archive.is/archive.fo/archive.today/etc) connections.
So at least this lets archive.is correlate your IP with your DNS server (which must pass EDNS Client Subnet to get any meaningful response, this is the reason why Cloudflare DNS is not that great for accessing archive.is; more: https://news.ycombinator.com/item?id=19828317).
There is something weird going on - both demanding the EDNS detail and then the extra tracking. I'm happy to avoid them using cloudflare's privacy stuff.
TeamViewer devs are especially to blame for this. You can’t install it without admin permissions even if you just want to control another desktop. Unless you manually extract the .app from the .pkg, in which case it works fine.
Anyways, this isn’t the first time TeamViewer has been hacked. Wonder what their beef is against E2EE between connected computers.
On Windows it can be used by a standard user without being installed. It's much more difficult to do this on macos. Even on Windows there are dark patterns that make this difficult, but it can be done.
This is from 2016. It's hard to say how you can tell without knowing what techniques were used against you specifically,if you have FireEye's network or endpoint products (or any other major vendor) they would provide coverage for any remnants of compromise by that threat actor.
![http://onion.[SOME_NUMERIC_ID].pixel.archive.today/pixel.gif](http://onion.[SOME_NUMERIC_ID].pixel.archive.today/pixel.gif){kind=link}
> The Chief Security Architect of FireEye posted this Tweet last week clarifying that there isn't a new compromise of TeamViewer, and the social media posts suggesting there is are misinterpreting a slide from a conference presentation.
> https://twitter.com/cglyer/status/1183210046093758464
[0]: https://news.ycombinator.com/item?id=21308518