According to many reports and data, a series of attacks started in 2016 and is currently in progress, based on security vendors. TeamViewer confirms the undisclosed breach. This post, the Monitor TeamViewer Security issue with MCAS, will guide you on discovering the apps in your environment using Microsoft Cloud App Security.

Remote Tools – Security Issue

Hackers often rely on a few standard remote administration tools (RAT) to control victim systems from afar, as if they were sitting in front of them. Naturally, not all RATs work for all attacks, but hackers turn to some tools more often than others before moving on to more niche or resource-intensive options if necessary.
For example, Check Point researchers recently spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe.
The attack, which starts with a malicious attachment disguised as a top-secret US document, weaponizes TeamViewer, the widespread remote access and desktop sharing software, to gain complete control of the infected computer.
By investigating the entire infection chain and attack infrastructure, we could track previous operations with many characteristics of this attack’s inner workings.
We also came across an online avatar of a Russian-speaking hacker, who seems to be in charge of the tools developed and used in this attack.
This article will discuss the infection chain, those targeted, the tools used, and a possible attribution to one of the hackers behind the attack. This attack is one of many breaches that occur with TeamViewer.
Another example from the last week is the Fxmsp Chat Logs Reveal the Hacked Antivirus Vendors. Below is a conversation about source code files for various products from antivirus companies Symantec, McAfee, and Trend Micro. The chat is between Fxmsp members:

TeamViewer is one of the world’s largest providers of remote control and desktop sharing software. Its services are used by millions of users and large corporations. Hackers have always targeted TeamViewer because of the access the company’s service can provide in the case of a successful breach. 
Todays, a RAT is a security flaw because it allows you to take many actions, including delivering malicious code to the pc and gaining privileged access.

MCAS Respond 

Some introduction, the Microsoft Cloud App Security (MCAS) is a critical component of the Microsoft Cloud Security Stack.
It’s a complete solution that can assist your organization as you move to take full advantage of the promise of cloud applications but keeps you in control through improved visibility into activity. It also helps increase the protection of critical data across cloud applications.
With tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, your organization can more safely move to the cloud while maintaining control of critical data.

The Cloud App Security framework:

• Cloud Discovery – Discover all cloud use in your organization, including Shadow IT reporting and control and risk assessment.
• Data Protection – Monitor and control your data in the cloud by gaining visibility, enforcing DLP policies, alerting, and investigating.
• Threat Protection – Detect anomalous use and security incidents. Use behavioral analytics and advanced investigation tools to mitigate risk and set policies and alerts to achieve maximum control over network cloud traffic.

How to Discover TeamViewer

Note: you can’t prevent malware and identify bypassing attacks with TeamViewer detect tool or any other AV tool, so the way to handle this situation is to block TeamViewer.
With MCAS, you can discover, identify and respond to a specific application, including a Cloud application and on-premises application, and with our scenario, the TeamViewer app.
To discover a specific app with MCAS follows these steps:

• from the MCAS portal go the Cloud Discovery, or directly to the Discovered apps

• Then from the APPS field, search for the TeamViewer app, and then you will receive the information about TeamViewer in the discovered apps window

• once I choose the TeamViewer app, I can delve into the information with the following information:
  • Use – get information such as Overview, Users, Total traffic, etc.
  • Info – app description and rating
  • IP address – the location from which the action was made
  • Users – who are the users that use the app
  • Alerts – view for they’ve if you’ve some rule or policy

for example, investigation for users and usage, you can view who users use this app, how much data they consume and forward, and what type of information has been part of this user consumption with the TeamViewer app.

Another example is to create a policy from the Discovery apps to alert the users using this app and suspend the users from Office 365 or apply other actions.
Next step, once you get all the information about TeamViewer apps, you can take additional action to prevent users from using TeamViewer and even block TeamViewer in your Firewall.
The most important is to check those files and those machines to rule out the possibility of some malicious files inside your network. With MCAS, you can discover which file was used and when.

In Conclusion

The use of remote administration tools is daily with many devices such as AnyDESK, ShowMyPC, and others. The security issues with TeamViewer need to turn on a red light about all other RAT and IT remote tools.
The recommendation is to work with certified tools and prevent transferring files from the external network to the internal network.
Cloud Security Archives – Elli Shlomo (eshlomo.us)
The Microsoft Cloud App Security (MCAS) Ninja Training – Microsoft Tech Community