In February this year, we examined the attack on the Oldsmar Water facility in Florida which stemmed from the exploit of remote access tool TeamViewer. It’s now been disclosed that the exploitation of TeamViewer was in the wild even earlier, with threat actors attempting to poison a water treatment plant in San Francisco in January.
How Attackers Are Exploiting TeamViewer
Reports show that the attack on the San Francisco water supply facility was relatively simple: An attacker stole TeamViewer credentials from a former employee and gained access, allowing them to remotely access and configure other systems.
A recently disclosed vulnerability shows that TeamViewer passwords can be stolen, allowing attackers to authenticate systems with TeamViewer installed.
Why Tracking Installed Software and User Accounts Is Crucial
Too often organizations have user accounts that are left active even after users have left an organization. Additionally, many organizations struggle to gain a real-time view of all users with admin and exec mode privileges, which often results in a large and unaddressed attack surface. This is why maintaining a user inventory is paramount.
Equally important is the ability to track and identify all installed software across an organization, including remote access tools that may be used for legitimate purposes.
On the surface, maintaining a software inventory is easy. There are many application control tools at the disposal of IT and security teams that only allow devices to run permitted software.
However, that’s just for devices and user accounts that IT and security teams know about.
There are many software instances that are harder to identify because of today’s dynamic IT environment. For example, it can be hard to track all software running on mobile and BYOD devices that connect and leave networks frequently. It can be harder to understand the relationship between what’s installed on a certain device and which user account is actually associated with that device.
Identifying and Tracking Remote Access Tools With Axonius
Axonius takes a comprehensive approach to identify all user accounts and installed software for all devices in your environment simply by connecting to all the IT and security tools you already use.
By connecting data sources such as EDR/EPP agents, configuration and patch management tools, network infrastructure, vulnerability scanners, and more, it’s easy to quickly identify which remote access tools exist in your environment.
Once any of the above tools are connected, Axonius allows for an aggregated search on installed software by name. This means that a query can return a device seen with certain remote access tools regardless of which data source has seen it.
You could also simply create a chart to segment values for the Installed Software: Software Name field to search for common remote access tools.