A bad week for anyone using Remote Desktop software AnyDesk as they disclosed a breach and revoked all security-related certificates, code-signing certificates, and reset customer passwords across the board. According to AnyDesk the initial breach occurred in Dec 2023 and was discovered in mid-January.
AnyDesk initially claimed the 4 day outage caused by this breach was for “maintenance”, note – lying to your customer base does not help build trust or help your brand – and did not disclose the breach until late Friday afternoon.
From what we know the attack affected two relay servers, one in Spain and one in Portugal, and user credentials should not have been compromised. AnyDesk states they did a code review and found no malicious changes to their code base, which is good, but the big concern is that their code-signing certificates were compromised. Those could theoretically be used by attackers to deliver malicious executables that would be trusted by versions of AnyDesk that have not been updated to recognize the revoked certificates.
If you run AnyDesk make sure you update your software as quickly as possible so you have the proper certificates to mitigate the risk from this breach. Overall it appears that AnyDesk dodged a bullet because this could have been much worse.
The attack on AnyDesk is part of a larger trend that we are seeing of attackers using legitimate remote support software as part of their toolkit. Because they are legitimate tools used by IT teams they won’t typically get blocked or flagged by EDR solutions. You can protect yourself by allow-listing any remote support software you use and blocking any other solutions that don’t belong on your network.
If you think you may be affected and would like help investigating the issue, please reach out to csirt@frsecure.com
Links:
https://www.securityweek.com/anydesk-shares-more-information-on-recent-hack/
