TV-2024-1005

TeamViewer IT security incident

Bulletin ID
TV-2024-1005
Issue Date
27 jun. 2024
Last Update
4 jul. 2024
Prioridad
Informative
Affected Products
No product, platform, or customer data affected

1. Summary

In late June 2024, TeamViewer was confronted with a cyber-attack. But we were fast in detecting, investigating and remediating the incident. Based on the results of the diligent investigation together with leading cyber security experts from Microsoft, we confirmed that the incident was contained to our internal corporate IT environment and that neither our separated product environment, nor the connectivity platform, nor any customer data had been affected.

Our products have been safe to use at all times. Since the incident, we have strengthened our security posture and processes even further with additional protection layers.

2. Incident Overview

  • June 26, 2024: Initial detection.
  • June 27, 2024: First statement.
  • July 4, 2024: Final statement and conclusion of the main incident response and investigation phase.

3. Communications Timeline

On Wednesday, 26 June 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment. We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts and implemented necessary remediation measures.

TeamViewer’s internal corporate IT environment is completely independent from the product environment. There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems.

Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we value transparent communication and will continuously update the status of our investigations as new information becomes available.

A comprehensive taskforce consisting of TeamViewer’s security team together with globally leading cyber security experts has worked 24/7 on investigating the incident with all means available. We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.

Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data.

Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place. This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our ‘defense in-depth’ approach.

Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we commit to transparent communication to stakeholders. We will continue to update the status of our investigations in our Trust Center as new information becomes available. We expect to post the next update by end of today CEST.

In collaboration with globally leading cyber security experts and relevant government authorities, our security teams continued their diligent investigation of the reported incident. Today’s findings strengthened our assessment that the attack was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data. We therefore reconfirm our previous statements.

Given our strong commitment to security, we take the threat very seriously. We will continue our thorough investigation over the next days to enrich the collected evidence further and exhaust all investigative options. We will continue to provide updates in our Trust Center as new information becomes available.

As the investigation progresses, we reconfirm that the attack has been contained to our internal corporate IT environment. Most importantly, our assessment reconfirms that it did not touch our separated product environment, nor the TeamViewer connectivity platform, nor any customer data. According to current findings the threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment. We have informed our employees and the relevant authorities.

The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state.

We will continue our thorough investigation and provide updates in our Trust Center as new information becomes available.

Eight days after the cyber security incident was first detected on June 26, and after exhausting all relevant investigative options, we have concluded the main incident response and investigation phase. Based on the results of our diligent investigation together with leading cyber security experts from Microsoft, we reconfirm that the incident was contained to our internal corporate IT environment. This means, neither our separated product environment, nor the connectivity platform, nor any customer data has been touched.

These findings confirm that our software solutions have at all times been safe to use. We appreciate our customers’ continued trust in our products, security posture and incident response capabilities.

All immediate remediation measures that we put in place regarding our internal corporate IT environment as well as the additional protection layers that we established have proven to be very effective: there was no suspicious activity in our internal corporate IT environment after our security teams blocked the attack immediately upon detection.

We take the threat very seriously and continue to investigate and monitor the situation vigilantly. This statement concludes our regular status updates on this incident.

Security remains core to our DNA, and we will continue to invest into our best-in-class cyber security posture as we have done in recent years.

4. Solutions and mitigations

We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state.