Widespread distant desktop software program supplier AnyDesk has confirmed that its manufacturing techniques have been compromised following a cyber-attack.
AnyDesk’s techniques have been breached by adversaries who managed to steal supply code and personal code signing keys and acquire entry to the agency’s manufacturing techniques, the corporate revealed on Febrary 2.
“We instantly activated a remediation and response plan involving cyber safety consultants CrowdStrike. The remediation plan has concluded efficiently,” AnyDesk stated in a public assertion.
The agency has revoked all security-related certificates and internet portal passwords by means of upkeep and believes the menace actor is now out of its community.
Spoke w/ AnyDesk on the telephone:
1. Confirmed intrusion, however restricted impression. IR w/ CrowdStrike & imagine TA is out of the community.
2. New code signing certs are on the newest model.
3. No buyer information impacted, AnyDesk utility is OK, no updates or code tampered with.
— John Hammond (@_JohnHammond) February 2, 2024
The hack was not associated to ransomware and AnyDesk discovered no proof that any end-user gadgets had been affected.
“Our techniques are designed to not retailer personal keys, safety tokens, or passwords that might be exploited to connect with end-user gadgets.”
“We are able to affirm that the state of affairs is underneath management and it’s protected to make use of AnyDesk. Please guarantee that you’re utilizing the newest model, with the brand new code signing certificates and that [you] change [your] passwords if the identical credentials are used elsewhere,” the corporate stated.
1000’s of Stolen AnyDesk Credentials Bought on Darkish Net
On February 4, two days after AnyDesk’s public assertion, cybersecurity agency Resecurity revealed that a number of menace actors are promoting compromised AnyDesk login credentials on each the clear and darkish internet.
“Considered one of these menace actors, going by the alias ‘Jobaaaaa,’ and who had initially registered their discussion board account in 2021, listed over 18,000 AnyDesk buyer credentials on the market on Exploit[.]in, a outstanding Darkish Net discussion board,” the Resecurity Hunter group wrote in a report.
In line with menace intelligence supplier SOS Intelligence, this new breach is probably going unrelated to the earlier cyber-attack.
“The very possible supply of those credentials are finish buyer compromise by way of stealer malware slightly than the AnyDesk breach. This has been partially confirmed by matching a few of the uncovered shopper emails to precise stealer log entries we’ve been capable of receive,” SOS Intelligence stated on X.
This was confirmed by Hudson Rock, one other menace intelligence supplier.
Nonetheless, Resecurity argued that the timeframe signifies that cybercriminals conversant in the preliminary incident are hurrying to monetize obtainable buyer credentials earlier than AnyDesk clients take proactive measures to reset their credentials.
Notably, the timestamps seen on the screenshots shared by the menace actor with Resecurity present profitable unauthorized entry dated February 3, which is after AnyDesk stated they resolved the incident.
AnyDesk’s upkeep lasted from January 29 to February 1, throughout this era it was unimaginable to log in to the AnyDesk’s portal.
“This means that many purchasers have nonetheless not modified their entry credentials, or this mechanism was nonetheless ongoing by the affected events,” Resecurity wrote.
“By having access to the AnyDesk portal, dangerous menace actors may study significant particulars concerning the clients – together with however not restricted to the used license key, variety of energetic connections, length of periods, buyer ID and phone info, e-mail related to the account, and the overall variety of hosts with distant entry administration software program activated, together with their on-line or offline standing and IDs,” Resecurity added.
Resecurity has shared its findings with AnyDesk.
Resecurity’s Mitigations Suggestions
Resecurity suggested all AnyDesk clients to contact the corporate for additional info on their group’s potential impression.
The safety agency additionally really helpful the next mitigation measures:
- Rapidly change your AnyDesk passwords
- Use AnyDesk’s whitelisting function (AnyDesk IDs) to permit solely trusted gadgets to be approved to your AnyDesk namespace
- Use multifactor authentication (MFA)
- Monitor surprising password and MFA adjustments for buyer accounts, suspicious periods and attainable emails despatched on behalf of different entities referencing AnyDesk account info
