7/8/2023 0 Comments Teamviewer hackedCity officials on Monday emphasized that several other safeguards are in place to prevent contaminated water from entering the water supply and said they’ve disabled the remote-access system used in the attack.” “A supervisor working remotely saw the concentration being changed on his computer screen and immediately reverted it, Gualtieri said. “The city’s water supply was not affected,” The Tampa Bay Times reported. lye used to control acidity in the water) to 100 times the normal level. Gualtieri told the media that someone (they don’t know who yet) remotely accessed a computer for the city’s water treatment system (using Teamviewer) and briefly increased the amount of sodium hydroxide (a.k.a. That is, until this past Monday, when Florida county sheriff Bob Gualtieri held a remarkably clear-headed and fact-filled news conference about an attempt to poison the water supply of Oldsmar, a town of around 15,000 not far from Tampa. Spend a few minutes searching Twitter, Reddit or any number of other social media sites and you’ll find countless examples of researchers posting proof of being able to access so-called “human-machine interfaces” - basically web pages designed to interact remotely with various complex systems, such as those that monitor and/or control things like power, water, sewage and manufacturing plants.Īnd yet, there have been precious few known incidents of malicious hackers abusing this access to disrupt these complex systems. But for security nerds who’ve been warning about this sort of thing for ages, the most surprising aspect of the incident seems to be that we learned about it at all. You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.Stories about computer security tend to go viral when they bridge the vast divide between geeks and luddites, and this week’s news about a hacker who tried to poison a Florida town’s water supply was understandably front-page material. Īccording to Checkpoint Research, Once the attacker gain the remote access via malicious TeamViewer, one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC.īased on the Telemetry record, This attack targeting countries including Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, Lebanon public financial sector and government officials. Using this technique, attackers hiding the TeamViewer interface from the users view, saving the current TeamViewer session credentials to a text file and let them transfer and execution of additional EXE o DLL files. In this case, threat actors using DLL side-loading technique to load the TeamViewer DLL ( htv.ahk ) and this technique let attackers adding more functionality to TeamViewer. htv.ahk: Downloads a malicious version of TeamViewer, executes it and sends the login credentials to the C&C server. hinfo.ahk: Sends the victim’s username and computer information to the C&C server.hscreen.ahk: Takes a screenshot of the victim’s PC and uploads it to the C&C server.There are 3 malicious AHK scripts are discovered that can perform different activities of following, įirst one is a legitimate AutoHotkeyU32.exe program, the second one is aĪutoHotkeyU32.ahk which is an AHK script to communicate with C&C server to download the additional script and execute it. Once the victims open the decoy document and enable the macro, there are two files are extracted from the hex encoded cells in XLSM document. The initial stage of the infection chain starts by delivering a spam email under the subject “Military Financing Program” with the attached malicious XLSM document with embedded macros.Ī well-crafted malicious document posed as the U.S Department of State which is marks as a top secret to convincing the victims to open it. Recent malicious campaign continuously makes use of TeamViewer by adding malicious TeamViewer DLL to Deliver Powerful Malware that Steals Sensitive Data and Money from various government and Financial networks. Based on the entire infection chain, tools developed and used in this attack, underground activity makes the researchers believe that the attack was conducted by a Russian Speaking hacker who is financially motivated.
0 Comments
Leave a Reply. |