Popular remote desktop software provider AnyDesk has confirmed that its production systems have been compromised following a cyber-attack.
AnyDesk’s systems were breached by adversaries who managed to steal source code and private code signing keys and gain access to the firm’s production systems, the company revealed on Febrary 2.
“We immediately activated a remediation and response plan involving cyber security experts CrowdStrike. The remediation plan has concluded successfully,” AnyDesk said in a public statement.
The firm has revoked all security-related certificates and web portal passwords through maintenance and believes the threat actor is now out of its network.
Spoke w/ AnyDesk on the phone:
— John Hammond (@_JohnHammond) February 2, 2024
1. Confirmed intrusion, but limited impact. IR w/ CrowdStrike & believe TA is out of the network.
2. New code signing certs are on the latest version.
3. No customer data impacted, AnyDesk application is OK, no updates or code tampered with.
The hack was not related to ransomware and AnyDesk found no evidence that any end-user devices had been affected.
“Our systems are designed not to store private keys, security tokens, or passwords that could be exploited to connect to end-user devices.”
“We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate and that [you] change [your] passwords if the same credentials are used elsewhere,” the company said.
Thousands of Stolen AnyDesk Credentials Sold on Dark Web
On February 4, two days after AnyDesk’s public statement, cybersecurity firm Resecurity revealed that multiple threat actors are selling compromised AnyDesk login credentials on both the clear and dark web.
“One of these threat actors, going by the alias ‘Jobaaaaa,’ and who had initially registered their forum account in 2021, listed over 18,000 AnyDesk customer credentials for sale on Exploit[.]in, a prominent Dark Web forum,” the Resecurity Hunter team wrote in a report.
According to threat intelligence provider SOS Intelligence, this new breach is likely unrelated to the previous cyber-attack.
“The very likely source of these credentials are end customer compromise via stealer malware rather than the AnyDesk breach. This has been partially confirmed by matching some of the exposed client emails to exact stealer log entries we’ve been able to obtain,” SOS Intelligence said on X.
This was confirmed by Hudson Rock, another threat intelligence provider.
However, Resecurity argued that the timeframe indicates that cybercriminals familiar with the initial incident are hurrying to monetize available customer credentials before AnyDesk customers take proactive measures to reset their credentials.
Notably, the timestamps visible on the screenshots shared by the threat actor with Resecurity show successful unauthorized access dated February 3, which is after AnyDesk said they resolved the incident.
AnyDesk’s maintenance lasted from January 29 to February 1, during this period it was impossible to log in to the AnyDesk’s portal.
“This suggests that many customers have still not changed their access credentials, or this mechanism was still ongoing by the affected parties,” Resecurity wrote.
“By gaining access to the AnyDesk portal, bad threat actors could learn meaningful details about the customers – including but not limited to the used license key, number of active connections, duration of sessions, customer ID and contact information, email associated with the account, and the total number of hosts with remote access management software activated, along with their online or offline status and IDs,” Resecurity added.
Resecurity has shared its findings with AnyDesk.
Resecurity’s Mitigations Recommendations
Resecurity advised all AnyDesk customers to contact the company for further information on their organization's potential impact.
The security firm also recommended the following mitigation measures:
- Quickly change your AnyDesk passwords
- Use AnyDesk’s whitelisting feature (AnyDesk IDs) to allow only trusted devices to be authorized to your AnyDesk namespace
- Use multifactor authentication (MFA)
- Monitor unexpected password and MFA changes for customer accounts, suspicious sessions and possible emails sent on behalf of other entities referencing AnyDesk account information