AnyDesk Mandates Password Reset due to Incident

AnyDesk, a prominent remote desktop software provider, reported a recent cyber attack that resulted in the compromise of its production systems. Although the German company clarified that it was not a ransomware attack, the incident led to the unauthorized access of its source code and private code signing keys.

Incident Overview

1. Discovery and Response:
   • AnyDesk identified the cyber attack during a security audit and confirmed that it was not ransomware-related. The company has taken immediate measures to remediate and replace compromised systems.
   • A response plan was activated in collaboration with cybersecurity firm CrowdStrike, ensuring a comprehensive and swift resolution.
2. Actions Taken:
   • AnyDesk revoked all security-related certificates and has already initiated the replacement of its previous code signing certificate with a new one.
   • As a precautionary measure, the company revoked all passwords to its web portal (my.anydesk[.]com) and urges users to change their passwords, especially if reused on other online services.
   • Users are advised to download the latest version of the software, which includes the new code signing certificate.

Security Implications

1. Source Code and Code Signing Certificates:
   • Threat actors stole source code and code signing certificates during the attack. AnyDesk assures users that the software remains safe to use, and there is no evidence of end-user devices being affected.
   • Already malicious samples signed with these stolen certificates have been observed (i.e. AgentTesla).
2. User Credentials for Sale:
   • Cybersecurity firm Resecurity identified threat actors offering thousands of AnyDesk customer credentials for sale on Exploit[.]in. The compromised accounts were advertised for $15,000 in cryptocurrency, potentially for technical support scams and phishing. However, this rumor seems to be unrelated with AnyDesk’s incident, and be associated with infostealer infections.
3. Mitigation Measures:
   • AnyDesk is replacing stolen code signing certificates and has issued patches to address the vulnerabilities.
   • Although session authentication tokens are designed not to be stolen, AnyDesk advises users to change passwords for added security.

User Recommendations

1. Software Update:
   • Users are strongly urged to download the latest version of AnyDesk, which includes the new code signing certificate.
2. Password Reset:
   • Change passwords on the AnyDesk web portal and consider updating passwords on other online services, especially if reused.
3. Hunt Malicious Samples:
   • Security researchers have already developed YARA rules and Defender ATP KQL queries for users to use and threat hunt for files signed with the stolen certificates.

References

• https://www.resecurity.com/blog/article/following-the-anydesk-incident-customer-credentials-leaked-and-published-for-sale-on-the-dark-web
• https://thehackernews.com/2024/02/anydesk-hacked-popular-remote-desktop.html
• https://www.tenable.com/blog/frequently-asked-questions-on-security-incident-at-anydesk
• https://anydesk.com/en/public-statement
• https://twitter.com/cyb3rops/status/1753440743480238459?s=46&t=ar05bvlSA1bNSSK9TbOjmA
• https://github.com/cyb3rmik3/KQL-threat-hunting-queries/blob/main/01.ThreatHunting/binaries-using-anydesk-compromised-certificate.md
• https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
• https://www.linkedin.com/posts/alon-gal-utb_i-see-that-there-is-some-confusion-about-activity-7159893240748388352-4cMu/?utm_source=share&utm_medium=member_android