TeamViewer on Thursday said its security team just "detected an irregularity" within one of its networks, which seems a very fancy way of saying someone broke in.

We're told this "irregularity" was spotted inside TeamViewer's corporate IT environment on Wednesday, and that the biz immediately called in reinforcements in the form of cybersecurity investigators, implemented "necessary remediation measures," and activated its incident response team and processes, according to an announcement on Thursday.

TeamViewer sells software to remotely control and manage Windows PCs and other computers as well as tools to access systems via the web, and is used the world over. The words "TeamViewer" and "security breach" will make a lot of people's blood run cold given how widespread it is used - in homes, organizations, and businesses - so a compromise of the platform could be devastating. TeamViewer says it has more than 600,000 customers.

Regardless, the software maker's disclosure attempted to downplay the intrusion, sorry, "irregularity."

"TeamViewer's internal corporate IT environment is completely independent from the product environment," it read. "There is no evidence to suggest that the product environment or customer data is affected."

But, it added, "investigations are ongoing and our primary focus remains to ensure the integrity of our systems."

TeamViewer spokesperson Maria Gordienko declined to answer The Register's specific questions about the incident, including whether it was ransomware or worse, citing the ongoing investigation. "As soon as new relevant facts become available, we will update the statement for the general public," she said. 

It appears top infosec house NCC Group has already tipped off its customers to the security snafu, and blamed an unnamed advanced persistent threat (APT) team.

"The NCC Group Global Threat Intelligence team has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group," NCC said in that memo, shared earlier on Mastodon by an IT security pro going by the name Jeffrey.

"Due to the widespread usage of this software the following alert is being circulated securely to our customers," the shared missive, confirmed as legit by NCC, continued. We've asked for the security group for further details for the public.

And speaking of Teamviewer and APTs, Brett Callow, threat analyst at Emsisoft, pointed to an alert Thursday by the US-based Health Information Sharing and Analysis Center (H-ISAC) to the health sector about ongoing exploitation of TeamViewer and how healthcare operators should respond.

That memo reads:

H-ISAC said in its industry bulletin that it had been warned by a friendly intel partner that APT29, aka the Russian intelligence's Cozy Bear crew, has been "actively exploiting Teamviewer."

"TeamViewer has been observed being exploited by threat actors associated with APT29," it added.

Which could mean the Russians are separately exploiting weaknesses within Teamviewer to get into people's networks, or taking advantage of poor customer-side security to get in via the remote-desktop software; or H-ISAC is saying the aforementioned intrusion was carried out by the Kremlin into Teamviewer's own systems.

We're seeking further details and will let you know when we hear more. ®

https://www.theregister.com//2024/06/28/teamviewer_network_breach/