RMM Tool Vendor, TeamViewer says Segmentation Between Environments Prevented Widespread Attacks

TeamViewer, a popular RMM (Remote Monitoring and Management) tool vendor, reported that its recent breach by cyberthreat actor Midnight Blizzard/APT29 resulted in limited damage, thanks to network segmentation architecture that prevented lateral movement across environments.

TeamViewer announced details of the breach this week, which had more than 600,000 customers globally on alert. In a statement on their “Trust Center” page, TeamViewer stated: “Following best-practice architecture, we have strong segregation of the Corporate IT, production environment, and TeamViewer connectivity platform in place. This means we strictly separate all servers, networks, and accounts to help prevent unauthorized access and lateral movement between environments. This segregation is one of multiple layers of protection in our ‘defense-in-depth’ approach.”

The investigation and incident response team for the attack compromised both TeamViewer employees and leading global cybersecurity experts. They determined the source of the June 26 attack as originating from the credentials of a standard employee account within the corporate IT environment.

Software Supply Chain Security Is Critical

This TeamViewer software supply chain attack demonstrates how threat actors can exploit even the most fortified systems by circumventing traditional detection methods through advanced techniques. The attackers are believed to be Midnight Blizzard/APT29, a nation-state-backed threat actor group associated with Russia’s Foreign Intelligence Service (SVR), which has been operating since 2008.

The attack underscores the importance of software supply chain security. TeamViewer acknowledges that it represents a significant, homogenous attack surface and vector for its global customer base of over 600,000. Remote Monitoring and Management (RMM) software is extensively used by corporate IT teams and managed service providers (MSPs) to connect to, monitor, and control computers, machines, and other devices across an organization or client endpoints.

RMM Tools As An Attack Vector

RMM tools have long been recognized as attack vectors. One of the most notable attacks was the Kaseya VSA ransomware attack (July 2021), which caused downtime for over 1,000 organizations. Other recent attacks leveraging RMM tools include ConnectWise ScreenConnect (2024), detailed by Huntress, an active vendor and MSP community member.

Unfortunately, ConnectWise ScreenConnect has been used during a spate of recent Blackcat ransomware attacks against healthcare providers, according to the FBI, CISA, and HHS. As a result of this attack, ConnectWise collaborated closely with their teams and the MSP community, making several changes to their incident response program, detailed by their CISO.

All these RMM attacks have prompted global authorities to collaborate actively, educating and providing guidance. Consequently, cybersecurity authorities from the United Kingdom, Australia, Canada, New Zealand, and the United States have released a joint advisory with CISA titled Protecting Against Cyber Threats to Managed Service Providers and their Customers Alert Code AA22-131A, along with a specific advisory for Protecting Against Malicious Use of Remote Monitoring and Management Software Alert Code AA23-025A.

The Value of Microsegmentation and Identity-Based Zero Trust Architectures

RMM tools, like many others in the IT management stack, require organizations to be vigilant in understanding how to protect their attack surface and limit the potential blast radius from vulnerabilities in their “software supply chain vendors.” Properly deployed network segmentation and identity-based explicit trust architectures are essential components of a robust Zero Trust and defense-in-depth security program. This approach minimizes lateral movement by attackers, making it challenging for them to discover or access critical systems and data. Network segmentation also enables more granular control and monitoring of traffic between segments, facilitating quicker detection and response to malicious activities. By implementing identity-based policies that dynamically adjust to user and device contexts, organizations can bolster their security posture, reduce the attack surface, and better defend against sophisticated threats aligned with the MITRE ATT&CK framework.

Elisity can block lateral movement, minimize the attack surface, and prevent unauthorized data exfiltration by dynamically profiling and controlling access based on identities. This comprehensive approach ensures that even if an attacker breaches part of the network, their ability to propagate and cause further damage is significantly curtailed. With Elisity, organizations can enhance their security posture, safeguard critical assets, and maintain network integrity, thereby ensuring business continuity and resilience against future threats.

Request a demo to see how Elisity can greatly accelerate your microsegmentation efforts.