I previously posted an article about the latest TeamViewer hack that has been spreading around the last few days. I myself have switched over to using AnyDesk for personal remote support (family, friends, etc) but I still had it on a few systems. I did check my logs and luckily none of my systems were accessed. However in the TeamViewer web console, I did see multiple sessions from China that were active in the last 30 days. I have since closed my TeamViewer account and notified all people that I know who use the service to uninstall it and switch to another provider.
Whether you were hacked or not please fill out this Google Form that one of the /r/TeamViewer mods put together: https://docs.google.com/forms/d/1E5U8iPWk_bLuRFnlpmGOYWY0yfCsBi9SPR3y5YhVefY/viewform
Accessing the Connection Log
If you want to see if your system was accessed (even if you uninstalled the program) you just need to check the TeamViewer directory. The default installation paths are below:
- 32-Bit (x86) Systems: C:\Program Files\TeamViewer\Connections_incoming.txt
- 64-Bit (x64) Systems: C:\Program Files (x86)\TeamViewer\Connections_incoming.txt
Here is the log file from one of my systems with the personal information blurred out for security reasons.
- If you have any logs that are NOT from you please save the log and report the information to TeamViewer and Post in the Reddit Thread here: https://www.reddit.com/r/teamviewer/comments/4m6omd/teamviewer_breach_masterthread_please_post_your/
- If you need assistance checking your system for malware that the attackers could have placed on your system please call your preferred IT person or contact me through the site, I offer remote and onsite support.
- Most importantly if your system has been accessed by someone else DO NOT USE THE SYSTEM! There have been multiple reports of keyloggers and other malicious software being installed from the attackers when they gained access to the system. I recommend doing a full OS installation and thoroughly going through any other drives/devices that have been connected to the PC.
TeamViewer continues to deny that they had a breach but there have been multiple users that have had proper passwords and even 2-factor authentication enabled at the time of the attack. Their system is flawed and cannot be trusted until they own up to what happened and post a 100% certain resolution to the breach.