AnyDesk confirms production systems were breached

"We can confirm that the situation is under control" is not the world's greatest incident response report we've seen.

AnyDesk confirms production systems were breached

AnyDesk, a remote access software company based in Germany with 170,000 customers globally, including Comcast and Thales, has confirmed its production systems were compromised in a security incident. 

The company had left customers sweating for three days after client logins failed and it notified them of unplanned maintenance. A changelog showed it invalidated a previous code signing certificate on January 29.

Germany's BSI warned after the incident that "possible leakage of the source code and certificates poses a risk of that this information could be used for further attacks on the provider's customers."

anydesk breach

In a late Friday, February 2 security advisory, AnyDesk said: “Following indications of an incident on some of our systems we conducted a security audit and found evidence of compromised production systems.

"We immediately activated a remediation and response plan involving cyber security experts CrowdStrike…”

AnyDesk hacked: No ransomware, no details

The incident was not related to ransomware, it added.

AnyDesk, founded in 2014 and with customers in 190 countries, added: “We have no evidence that any end-user devices have been affected. 

“We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate” it added, in a distinctly detail-thin report.

Code-signing certificates, issued by a trusted third party, such as a certificate authority, include information about software. When it is installed, an Operating System checks a signature against the certificate to make sure it has not been tampered with. If it has, it can be used to sign malware – leaving systems thinking it came from a trusted source.

Security researcher Florian Roth, who swiftly created a YARA rule to detect binaries that are signed with a potentially compromised AnyDesk signing certificate even before the firm confirmed the incident, noted on Xthat he had found "over 2300+ binaries signed with that certificate..."

AnyDesk said: “We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly… 

“Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end user devices. 

“As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere,” it added in its update.

Rumours of an AnyDesk hack raised hackles widely because of the scale of downstream damage that can be done if a remote software provider gets hit. July 2021’s attack on Kaseya is a powerful case in point. A threat group used vulnerabilities in software from the remote access firm to hack 50+ MSPs that used its products – piggybacking on that access in turn to hit over 1,500 downstream MSP customers with ransomware.

AnyDesk did not share any more details nor any Indicators of Compromise and dumped the advisory at 11pm German time.

Security professional Jake Williams noted on X: "This shouldn't be coming out on a Friday afternoon when they took systems offline days ago. This is a PR move. Companies that are being transparent don't play these shenanigans.

He added: "Threat hunt in your environment anywhere you had AnyDesk installed for anomalous activity over at least the last 30 days. When the intrusion vector isn't being shared, you have to presume they don't yet know. Even if they know, it's usually a leap to say what was accessed. Think about it: do you think a threat actor jumped onto one machine and pulled a code signing cert and that's it? No? Oh, okay. Consider disabling AnyDesk in your environment, either by disabling the agent through GPO or blocking at a network level until more is known. I don't have any inside knowledge on this particular incident. But I've worked plenty of incidents in my day and the reporting on this one stinks to high heaven."

In an advisory published in German on February 5, BSI added: "Man-in-the-middle and supply chain attacks are conceivable in this context [as a result of the breach...] these could go unnoticed or, in the worst case, already attacks may have gone undetected. The measures implemented by the operator significantly reduce the current risk potential. However, it cannot be ruled out that malicious versions of the software, signed with the compromised certificate, are offered or targeted by attackers on third-party sites sent to customers..."

Join peers following The Stack on LinkedIn