AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. Researcher has learned that source code and private code signing keys were stolen during the attack.
AnyDesk is a remote access solution that allows users to remotely access computers over a network or the internet. The program is very popular with the enterprise, which use it for remote support or to access collocated servers.
The software is also popular among threat actors who use it for persistent access to breached devices and networks.
The company reports having 170,000 customers, including 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and the United Nations.
In a statement shared at Friday afternoon, AnyDesk says they first learned of the attack after detecting indications of an incident on their production servers.
After conducting a security audit, they determined their systems were compromised and activated a response plan with the help of cybersecurity firm CrowdStrike.
AnyDesk did not share details on whether data was stolen during the attack. However, researcher has learned that the threat actors stole source code and code signing certificates.
The company also confirmed ransomware was not involved but didn't share too much information about the attack other than saying their servers were breached, with the advisory mainly focusing on how they responded to the incident.
As part of their response, AnyDesk says they have revoked security-related certificates and remediated or replaced systems as necessary. They also reassured customers that AnyDesk was safe to use and that there was no evidence of end-user devices being affected by the incident.
"We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate," AnyDesk said in a public statement.
While the company says that no authentication tokens were stolen, out of caution, AnyDesk is revoking all passwords to their web portal and suggests changing the password if it's used on other sites.
"AnyDesk is designed in a way which session authentication tokens cannot be stolen. They only exist on the end user's device and are associated with the device fingerprint. These tokens never touch our systems, "AnyDesk reseponse.
"We have no indication of session hijacking as to our knowledge this is not possible."
The company has already begun replacing stolen code signing certificates, with Günter Born of BornCity first reporting that they are using a new certificate in AnyDesk version 8.0.8, released on January 29th. The only listed change in the new version is that the company switched to a new code signing certificate and will revoke the old one soon.
Researcher looked at previous versions of the software, and the older executables were signed under the name 'philandro Software GmbH' with serial number 0dbf152deaf0b981a8a938d53f769db8. The new version is now signed under 'AnyDesk Software GmbH,' with a serial number of 0a8177fcd8936a91b5e0eddf995b0ba5, as shown below.
Certificates are usually not invalidated unless they have been compromised, such as being stolen in attacks or publicly exposed.
While AnyDesk had not shared when the breach occurred, Born reported that AnyDesk suffered a four-day outage starting on January 29th, during which the company disabled the ability to log in to the AnyDesk client.
"my.anydesk II is currently undergoing maintenance, which is expected to last for the next 48 hours or less," reads the AnyDesk status message page.
"You can still access and use your account normally. Logging in to the AnyDesk client will be restored once the maintenance is complete."
Yesterday, access was restored, allowing users to log in to their accounts, but AnyDesk did not provide any reason for the maintenance in the status updates.
However, AnyDesk has confirmed that this maintenance is related to the cybersecurity incident.
It is strongly recommended that all users switch to the new version of the software, as the old code signing certificate will soon be revoked.
Furthermore, while AnyDesk says that passwords were not stolen in the attack, the threat actors did gain access to production systems, so it is strongly advised that all AnyDesk users change their passwords. Furthermore, if they use their AnyDesk password at other sites, they should be changed there as well.
Every week, it feels like we learn of a new breach against well-known companies.
Last night, Cloudflare disclosed that they were hacked on Thanksgiving using authentication keys stolen during last years Okta cyberattack.
Last week, Microsoft also revealed that they were hacked by Russian state-sponsored hackers named Midnight Blizzard, who also attacked HPE in May.
Microsoft released its batch of monthly security updates this month covering 73 vulnerabilities, including two zero-day flaws exploited in the wild. While organizations should prioritize all critical and high-risk issues, there is one critical vulnerability in Outlook that researchers claim could open the door to trivial attacks that result in remote code execution.Read More
Microsoft on Tuesday rolled out a massive batch of security-themed software updates and called urgent attention to at least three vulnerabilities being exploited in live malware attacks. The world’s largest software maker documented 72 security vulnerabilities in the Windows ecosystem and warned users of the risk of remote code execution, security feature bypass, information disclosure and privilege escalation attacks.Read More
The Cybersecurity and Infrastructure Security Agency , National Security Agency , Federal Bureau of Investigation , and other authoring agencies have released a joint guidance about common living off the land techniques and common gaps in cyber defence capabilities.Read More