AnyDesk, one of the most popular remote desktop software providers with more than 170,000 customers globally, has recently confirmed it fell victim to a cyberattack. Hackers gained access to its production environment and stole source code and private code-signing keys. Suspicious activity was detected on their production servers and a security audit was initiated that confirmed the unauthorized access. Assisted by CrowdStrike, AnyDesk initiated its incident response plan which included revoking security-related certificates.
AnyDesk explained in a Friday blog post that this was not a ransomware incident, the impact was limited, and no evidence was found to indicate any end-user devices were compromised. “Our systems are designed not to store private keys, security tokens, or passwords that could be exploited to connect to end-user devices,” explained AnyDesk. AnyDesk confirmed that it remains safe to use, the situation is under control, and the hackers are believed to have been ejected from its production environment.
All users have been advised to check to make sure they are running the latest version with the new code-signing certificate as the old certificate will soon be revoked. AnyDesk said no authentication tokens were stolen but out of an abundance of caution, all passwords for the web portal have been revoked. If an AnyDesk password has been used on any other sites, AnyDesk recommends also changing the password on those sites. If that is the case, password best practices should be followed, and each site should have its own, complex and unique password set.
A day after the breach was disclosed, researchers at Resecurity identified multiple threat actors listing AnyDesk credentials for sale on the clear and dark web, including one threat actor who claimed to have 18,000 AnyDesk customer credentials. While the timing of the posts could indicate data theft from the AnyDesk hack, the compromised credentials are believed to have been obtained via infections with infostealer malware. The threat intelligence provider Hudson Rock confirmed that the credentials being offered for sale did not come from the security breach at AnyDesk. The credentials are likely being monetized now before AnyDesk customers change their passwords.
Since credentials are being sold and leaked, Resecurity recommends that all AnyDesk users reset their passwords. To further improve security, consider using the whitelisting feature to restrict access to only trusted devices. Multifactor authentication should be configured and users should monitor for any unexpected password or MFA changes