AnyDesk, a prominent remote desktop software provider, reported a recent cyber attack that resulted in the compromise of its production systems. Although the German company clarified that it was not a ransomware attack, the incident led to the unauthorized access of its source code and private code signing keys.
- Discovery and Response:
- AnyDesk identified the cyber attack during a security audit and confirmed that it was not ransomware-related. The company has taken immediate measures to remediate and replace compromised systems.
- A response plan was activated in collaboration with cybersecurity firm CrowdStrike, ensuring a comprehensive and swift resolution.
- Actions Taken:
- AnyDesk revoked all security-related certificates and has already initiated the replacement of its previous code signing certificate with a new one.
- As a precautionary measure, the company revoked all passwords to its web portal (my.anydesk[.]com) and urges users to change their passwords, especially if reused on other online services.
- Users are advised to download the latest version of the software, which includes the new code signing certificate.
- Source Code and Code Signing Certificates:
- Threat actors stole source code and code signing certificates during the attack. AnyDesk assures users that the software remains safe to use, and there is no evidence of end-user devices being affected.
- Already malicious samples signed with these stolen certificates have been observed (i.e. AgentTesla).
- User Credentials for Sale:
- Cybersecurity firm Resecurity identified threat actors offering thousands of AnyDesk customer credentials for sale on Exploit[.]in. The compromised accounts were advertised for $15,000 in cryptocurrency, potentially for technical support scams and phishing. However, this rumor seems to be unrelated with AnyDesk’s incident, and be associated with infostealer infections.
- Mitigation Measures:
- AnyDesk is replacing stolen code signing certificates and has issued patches to address the vulnerabilities.
- Although session authentication tokens are designed not to be stolen, AnyDesk advises users to change passwords for added security.
- Software Update:
- Users are strongly urged to download the latest version of AnyDesk, which includes the new code signing certificate.
- Password Reset:
- Change passwords on the AnyDesk web portal and consider updating passwords on other online services, especially if reused.
- Hunt Malicious Samples:
- Security researchers have already developed YARA rules and Defender ATP KQL queries for users to use and threat hunt for files signed with the stolen certificates.