Advisory February 5, 2024

AnyDesk Mandates Password Reset due to Incident

Obrela TI Team

AnyDesk, a prominent remote desktop software provider, reported a recent cyber attack that resulted in the compromise of its production systems. Although the German company clarified that it was not a ransomware attack, the incident led to the unauthorized access of its source code and private code signing keys.

Incident Overview

  1. Discovery and Response:
    • AnyDesk identified the cyber attack during a security audit and confirmed that it was not ransomware-related. The company has taken immediate measures to remediate and replace compromised systems.
    • A response plan was activated in collaboration with cybersecurity firm CrowdStrike, ensuring a comprehensive and swift resolution.
  2. Actions Taken:
    • AnyDesk revoked all security-related certificates and has already initiated the replacement of its previous code signing certificate with a new one.
    • As a precautionary measure, the company revoked all passwords to its web portal (my.anydesk[.]com) and urges users to change their passwords, especially if reused on other online services.
    • Users are advised to download the latest version of the software, which includes the new code signing certificate.

Security Implications

  1. Source Code and Code Signing Certificates:
    • Threat actors stole source code and code signing certificates during the attack. AnyDesk assures users that the software remains safe to use, and there is no evidence of end-user devices being affected.
    • Already malicious samples signed with these stolen certificates have been observed (i.e. AgentTesla).
  2. User Credentials for Sale:
    • Cybersecurity firm Resecurity identified threat actors offering thousands of AnyDesk customer credentials for sale on Exploit[.]in. The compromised accounts were advertised for $15,000 in cryptocurrency, potentially for technical support scams and phishing. However, this rumor seems to be unrelated with AnyDesk’s incident, and be associated with infostealer infections.
  3. Mitigation Measures:
    • AnyDesk is replacing stolen code signing certificates and has issued patches to address the vulnerabilities.
    • Although session authentication tokens are designed not to be stolen, AnyDesk advises users to change passwords for added security.

User Recommendations

  1. Software Update:
    • Users are strongly urged to download the latest version of AnyDesk, which includes the new code signing certificate.
  2. Password Reset:
    • Change passwords on the AnyDesk web portal and consider updating passwords on other online services, especially if reused.
  3. Hunt Malicious Samples:
    • Security researchers have already developed YARA rules and Defender ATP KQL queries for users to use and threat hunt for files signed with the stolen certificates.