AnyDesk, the popular remote desktop software provider, has disclosed that its production systems were compromised as a result of a cyber-attack. On February 2, the company confirmed that adversaries infiltrated their systems, stealing source code and private code signing keys, as well as gaining access to their production systems.
In response to the attack, AnyDesk activated a remediation and response plan involving cybersecurity experts CrowdStrike. The firm reported that the remediation plan was successful and they successfully revoked all security-related certificates and web portal passwords through maintenance. AnyDesk believes that the threat actor is no longer present in their network.
A tweet from John Hammond indicated that the intrusion had limited impact, with no customer data affected, and the AnyDesk application remaining unaffected with no updates or code tampering.
It was clarified that the cyber-attack was not related to ransomware and there was no evidence that any end-user devices had been affected. AnyDesk stated that their systems are not designed to store private keys, security tokens, or passwords that could be exploited to connect to end-user devices.
Moreover, the company assured the public that it is now safe to use AnyDesk, emphasizing the need to update to the latest version with the new code signing certificate and to change passwords if the same credentials are used elsewhere.
However, the aftermath of the cyber-attack continued to unfold. On February 4, it was disclosed by cybersecurity firm Resecurity that multiple threat actors were selling compromised AnyDesk login credentials on both the clear and dark web. According to Resecurity, a threat actor listed over 18,000 AnyDesk customer credentials for sale on a Dark Web forum.
While AnyDesk insists that end-user devices remain unaffected, Resecurity argued that the timeframe indicated cybercriminals familiar with the initial incident were hurrying to monetize available customer credentials before AnyDesk customers take proactive measures to reset their credentials. It was revealed that many customers had not changed their access credentials, potentially enabling bad threat actors to gain unauthorized access to the AnyDesk portal.
Additionally, Resecurity advised all AnyDesk customers to contact the company for further information on their organization’s potential impact and recommended mitigation measures, including quickly changing AnyDesk passwords, using the software’s whitelisting feature, employing multifactor authentication, and monitoring unexpected changes and suspicious sessions.
In response to the findings, AnyDesk maintained its commitment to resolving the issue and advised its customers to adhere to the recommended mitigation measures. Despite the cyber-attack and subsequent sale of compromised credentials, AnyDesk remains focused on providing a secure and reliable remote desktop solution for its users.