AnyDesk Production Systems Compromised
Running AnyDesk? Time to start patching. As if the minefield that system administrators have to walk on a daily basis isn’t bad enough, AnyDesk confirms that they have had a breach of their production systems. As of time of writing, no timeline has been officially released. It is suspected that unauthorized access started early to mid January 2024 and concluded January 29th, 2024.
During that time, threat actors compromised systems and ran away with source code and signing certificates used for the AnyDesk client. No official statements have been made to specific details behind the event, including initial access. With Crowdstrike assisting in IR and remediation efforts, this will likely be made public at some point.
AnyDesk Responds
AnyDesk has made it clear that ransomware was not the objective of this attack. As of February 4th, systems have been secured and are safe to use. New signing certificates have been issued and applied to both the custom client and general client as of versions 7.0.15 and 8.0.8, respectively. Older versions of the software will continue to run with the compromised certificates. These will likely be revoked by AnyDesk in the future. Antivirus may also soon start blocking or quarantining these versions, so make sure you get updated as soon as possible.
AnyDesk has confirmed that they have no indication that user endpoints were affected or compromised due to this event. Furthermore, there has been no evidence to indicate that user credentials have been compromised. Out of an abundance of caution, AnyDesk has revoked credentials for users of the customer portal, “my.anydesk.com II”. Customers who use “my.anydesk.com I” are completely uninvolved due to the attack being pinpointed to specific relay servers in Europe that are only utilized and accessible by “my.anydesk.com II”. Again, AnyDesk stated no evidence of credential theft has taken place, however, to even be considered possibly vulnerable to credential theft in this incident, you would’ve had to:
- Authenticate to an affected relay server, used by “my.anydesk.com II”
- This relay server you’re authenticating to is in Europe
- The relay server is inside the location zone of the affected servers (Spain and Portugal)
- You manually entered credentials into the client during the time of the incident (early, mid-January to January 29th).
It’s not just one of these conditions that has to be true, but ALL have to be true. This is basically AnyDesk saying, “If credentials were compromised, this is how it would have to happen”. This is also an ongoing investigation, so it is likely we will get further confirmation of compromised credentials, if there are any. Either way, we’re all so used to resetting passwords at this point that it may just be easier to do a quick reset and move onto the next fire that requires your attention.
“Is it safe to run AnyDesk, even after patching?”
The true consequences of this attack remain to be seen. The details are still coming out and we will likely not have a full disclosure of the event anytime soon. The answer to this question then comes down to your own organizational risk appetite. That is, what level of risk are you willing to accept while waiting for additional information to surface? That answer is wildly different between organizations and no answer is wrong (that is, unless you’re accepting any and all risk, which is a…questionable strategy). Let’s attempt to understand the implications of having source code and signing certificates stolen – what can threat actors do with these? It’s great that AnyDesk has worked to secure their infrastructure and remove the bad guys, but how could these things be used maliciously now that they’re out in the wild?
Risks associated with stolen source code:
- Analysis of source code may reveal vulnerabilities or weaknesses that can be exploited in future attacks.
- Contributes to the research and development of possible 0-day exploits against AnyDesk software.
- Manipulated and compiled into malicious versions of the software, to be masqueraded as legitimate versions.
- May lead to additional, targeted attacks against AnyDesk and their customers.
Risks associated with stolen signing certificates:
- Threat actors can sign any of their own malicious software with these certificates, making it appear legitimate and pass basic security checks.
- Can make modifications to the existing software and then re-sign the software, making it appear legitimate in form and function, but has been injected with malicious code.
There are additional checks and balances that hopefully mitigate some of these risks. For example, many antivirus vendors are already marking the stolen certificate as malicious and generating alerts. These risks are also just examples and certainly not guaranteed to happen, nor is this an exhaustive list of all the risks. Stick to the basics of understanding where AnyDesk is used in your environment and properly patching and managing it and you should be safe. On the bright side, you may actually be able to use this event to get some stubborn users off of AnyDesk…not that I have any personal experience with this or anything.
Incident Highlights
What Happened?
- Cyberattack on AnyDesk. Threat Actors gained access to production systems.
- No specific timeline given yet, but suspected to be early to mid-January 2024 to January 29th, 2024.
- Incident Response and Remediation began January 29th, 2024 and concluded on February 4th, 2024.
- Source Code and signing certificates stolen.
- Not a ransomware attack.
- No evidence of end user devices being affected or compromised.
- No evidence of customer credentials being stolen or compromised.
- No evidence of source code being manipulated in any way.
- No evidence of on-premise hosted solutions being affected.
What has AnyDesk done?
- Partnered with Crowdstrike for IR efforts.
- Updated the custom client and general client with new certificates.
- Forced password resets for users of the customer portal, “my.anydesk.com II”.
Actions to Take
- If you have a customer portal account with “my.anydesk.com”, complete a login and reset your password if prompted. Enable 2FA if available.
- If you are not prompted, you are likely not affected, but may want to reset your password anyways.
- If this password is reused elsewhere, make sure you reset it everywhere.
- Update to the latest AnyDesk client.
- For organizations using the custom AnyDesk client, update to version 7.0.15.
- For organizations using the generally available AnyDesk client, update to version 8.0.8.
- Scan your environment for the installation and execution of AnyDesk software. Even if you don’t think it’s being used, it is often bundled with many third party software for support and maintenance purposes. It is also not uncommon for users to install this software on their own, unbeknownst to administrators.
- If you identify installations from bundled software, check to see if the bundled software has any updates.
- If you identify standalone installations, update as needed or consider removing if they are not approved or no longer needed.
- If you are concerned about unauthorized access, you can review AnyDesk logs on each endpoint or the web console to identify if any unauthorized access was attempted or permitted in the last 30 days at a minimum.
Need help finding AnyDesk in your environment? Blumira can help!
In response to this incident, we have made a new global report available to all of our customers. Titled, “AnyDesk Process per Endpoint”, this report can help you identify if AnyDesk is running in your environment. From there, you can start planning out pushing updates or even just uninstall it if it’s not approved for use in your network. Additionally, if you’d like to be alerted to the use of AnyDesk in your environment, we have a detection titled, “Remote Access Tool: AnyDesk” that will trigger anytime AnyDesk is run on monitored endpoints. This is useful if you want an ongoing scan for AnyDesk use in your environment rather than performing manual audits.
For further details regarding the event, see AnyDesk’s official communication links below:
Jake Ouellette
Jake is an Incident Detection Engineer at Blumira, where he contributes to research and design efforts to continuously improve the detection, analysis, and disruption capabilities of the Blumira platform.
More from the blog
View All PostsNew Unauthenticated Remote Code Execution Flaw Identified in OpenSSH Server
Read MoreNow Available: ISO 27001 Compliance Reports
Read MoreHere’s What Really Happened With LastPass
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.