Popular remote desktop software vendor AnyDesk has announced that its production systems were recently breached by an unnamed threat actor, resulting in the compromise of its source code, code signing and security-related certificates.
AnyDesk has subsequently revoked the compromised certificates and released new versions of its software signed by a new, secure certificate.
While AnyDesk emphasized that it wasn’t a ransomware attack and that no passwords or sessions which could be used to exploit end users were stolen, it has revoked all passwords to its web portal out of an abundance of caution.
Contrary to AnyDesk’s statement, at least two threat actors have been discovered advertising the sale of over 18,000 AnyDesk credentials—which could be used for phishing and technical support scams—for $15,000.
Screenshots of the credentials posted by the threat actor were dated February 3, 2024, a day after AnyDesk officially announced the breach. However, the threat actors have not explained how the credentials were originally obtained.
AnyDesk maintains that there is no risk to users if they are using the latest version of the software and have reset their password.
Source: Bleeping Computer
Analysis
Code signing and security-related certificates are a high-value target for threat actors since they can be used to sign malware, tricking users into installing what would appear to be legitimate AnyDesk software. Fortunately, it appears that AnyDesk was quick to mitigate this threat by revoking the compromised certificate and using a new one to sign an updated version of its software for users.
This attack will likely have further repercussions for AnyDesk and its 170,000 customers given that customer information allegedly obtained during the breach is available for sale online, contradicting AnyDesk’s claim that end users could not be exploited as a result of the attack.
Furthermore, the attack may lead to the future exploitation of zero-day vulnerabilities discovered by analyzing the stolen AnyDesk source code.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like AnyDesk. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified via the portal when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of AnyDesk to update to the latest version via AnyDesk’s download platform and reset their password as soon as possible.
Related articles
