Hardening (analyze & avoid remote access)

[rihtt]

Hello
a client of mine runs a windows 7 embedded
[6.1.7601 Service Pack 1 Build 7601]


there is a remote management software installed called teamviewer host
(version 9)


But, here is the issue.
Someone is controlling the computer because the end-users have a number of times seen
that someone is controlling the mouse and are using the computer. And I suspect its not a teamviewer session but instead some else unknown RAT/spyware or other RMM



I have been assigned to investigate and stop this.


* teamviewer host logfiles shows no matching incoming_connections
*teamviewer host has been set to have 1 new password. And no other extras
*I deactivated the windows RDP/RDC protocol within control panel
*I installed malware antibytes and run a scan atm



What else do you suggest to do?




I am planning to visit the site and do some more work at the terminal:

() I will do a regshot of the system with my portable thumbdrive.
Reboot and scan again and check for anomalies

where-application stores its data -


() deny all in the windows firewall, and do exceptions just for critical applications
such as  wmupdate, teamviewer

() also if available check the router, and add additional firewall/block everything to this device in the network.


() check the   UAC  settings

() install and tweak with EMET,  but I found this toolkit quite hard to understand.

 

[iko22]

Hello rihtt

Does the Windows 7 embedded computer have its own Mouse physically connected, or is it only (intentionally) controlled via Team Viewer?

 

[samuria]

The top option is to setup a DMZ zone and assign it to a fix IP which doesn't exist set this on the router so nothing would connect from outside it would require something running on the pc to open connection check schedule and startup

 

[file3456]

Team Viewer is very susceptible to having the account hacked. When you use TV it is vital you use 2FA (two factor authentication) I use Authy and I highly recommend you use Authy for every account that has a 2FA ability for Authy. Be it PayPal, eBay (unless you snipe, don't turn it on), domain providers, etc. Use Authy when you can. If email or SMS is the only option, use email, if SMS is the only option use SMS, though not very good since that is vulnerable to a sim card swap hack.

So what I would do right now is the following:

A: Login to the TV account and change the password. Use Keepass and make it at least 16 characters. Backup Keepass' database to multiple storage mediums regularly. USB flash drives, computers, hard drives, cloud storage, you name it.

B: Download the Authy App for your phone. Install Authy on your computer/s Go into your TV account and chose to use 2FA.

C: Run Autoruns and make sure there isn't something there that shouldn't be.

D: Run Sanity Check.

E: Run TDSSKiller.

F: Try Herdprotect portable.

DMZ and all that is not going to make a difference with a TV connection. A TV connection bypasses the firewall and router SPI via direct IP connection from the program to a server somewhere in the world. They have many IPs and I've seen several using Peerblock. In all the years I've used TV I have never had unusual behavior and that's principally because I use 2FA.

Heed my advice line by line. Any questions ask.

 

[Alejandro85]

The very first measure you could take is to propertly setup your firewall at the affected computer. Only let known programs to access the network, both for incoming and specially outgoing connections. Firewall logs may also discover the problem, if it ends up not being a teamviewer session.

Team Viewer is very susceptible to having the account hacked.

Why? What's your basis for such claim?

 

[file3456]

Why? What's your basis for such claim?

team viewe account hacked - Google Search

Next thing you know you'll say I'm wrong. Also, this has NOTHING to do with the network. TV punches through firewalls and SPI.

Also, from the search results. This is how you can check if your TeamViewer account has been hacked and what to do >> TechWorm

 

[iko22]

Yes, I distinctly remember hearing about a Teamviewer hack in 2016. Googling it today, I found that the company first denied this happened, then they reported that it was an infrastructure attack rather than a user account attack. However, if users have personal doubts, then check the Teamviewer log entries, and report any anomalies to their customer support.