In February 2024, AnyDesk, a popular remote access solution, disclosed a cyberattack that compromised its production systems. The breach raised concerns about potential risks including password compromise, malicious use of stolen certificates and a potential supply chain attack as shortly after the announcement, Cybersixgill identified cybercriminals on prominent dark web forums offering more than 18,000 credentials for sale.
Â
Behind the Headlines
The specific cause of the AnyDesk breach has not been disclosed, however the company has stated that unauthorized access to its production systems occurred, but it has not yet provided details about the method or vulnerability exploited by the attackers. It is important to note that the investigation into the breach is ongoing, and further details may be revealed in the future.
The attackers were able to compromise the certificate used by AnyDesk to sign executables, allowing them to sign any executable as AnyDesk and potentially evade security products. There is also a risk of a software supply chain attack, as the attackers had significant access to AnyDesk's production environment.
AnyDesk has stated that there is no evidence of private keys, security tokens, or passwords being obtained that could be used to exploit end-user devices, however Cybersixgill has observed threat actors offering over 18,000 AnyDesk credentials for sale on the dark web. The connection between the sale and the breach is still unclear. AnyDesk claims that the attackers were not able to compromise user authentication secrets but chose to revoke passwords as a precaution.
AnyDesk responded to the attack by taking several measures to mitigate the incident and ensure the security of its systems. According to their statement, they worked with cybersecurity experts from CrowdStrike to remediate the incident and notify the authorities. They revoked all security-related certificates and remediated or replaced systems where necessary.
The company also announced that they would be revoking the previous code signing certificate for their binaries and replacing it with a new one. As a precautionary measure, they revoked all passwords to their web portal and advised users to change their passwords if the same credentials were used elsewhere. Despite the compromise of user portal access details, AnyDesk was keen to reassure clients that its software remains safe to use, advising users to upgrade to the latest versions of the software, specifically versions 7.0.15 and 8.0.8, for enhanced security.
Defenders are advised to assess password-related risks, hunt for suspicious activity, and identify revoked certificate use. They should also update old AnyDesk clients and apply mitigation steps to minimize the impact of the breach. AnyDesk users are urged to regularly update passwords, enable two-factor authentication, and remain vigilant for any suspicious activities on their accounts.
AnyDesk has stated that measures are being taken to enhance security and prevent future breaches. The incident highlights the ongoing challenges faced by remote desktop software providers in maintaining the security of user data.