Pierluigi Paganini February 05, 2024

Remote desktop software company AnyDesk announced that threat actors compromised its production environment.

Remote desktop software company AnyDesk announced on Friday that threat actors had access to its production systems.

The security breach was discovered as a result of a security audit, the company immediately notified relevant authorities. AnyDesk did not reveal if it has suffered a data breach.

AnyDesk is a remote desktop software that allows users to connect to a computer or device remotely. It enables users to access and control a computer from another location as if they were sitting in front of it. AnyDesk is commonly used for remote technical support, online collaboration, and accessing files or applications on a remote computer.

The company started a remediation and response plan with the help of cyber security firm CrowdStrike. AnyDesk pointed out that this security breach is not related to ransomware.

“Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems. We immediately activated a remediation and response plan involving cyber security experts CrowdStrike. The remediation plan has concluded successfully. The relevant authorities have been notified and we are working closely with them. This incident is not related to ransomware.” reads the incident response notice published by the company.

In response to the security breach, the company revoked all security-related certificates and systems have been remediated or replaced where necessary.

The company is going to revoke the existing code signing certificate used to sign its binaries.

AnyDesk remarked that its systems don’t store private keys, security tokens or passwords that could be exploited by threat actors to target end-user devices. As a precaution, the company also revoked all passwords to the web portal my.anydesk.com, and recommended that users change their passwords if the same credentials are used elsewhere.

Researchers at cybersecurity firm Resecurity identified threat actors offering a significant number of AnyDesk customer credentials for sale on the Dark Web.

Resecurity experts pointed out that it is possible that cybercriminals familiar with the incident are hurrying to monetize available customer credentials via the Dark Web acquired from different sources, understanding that AnyDesk may take proactive measures to reset their credentials. Such data could be extremely valuable for both initial access brokers and ransomware groups familiar with AnyDesk, often abused as one of the tools following successful network intrusions. Notably, per additional context acquired from the actor, the majority of exposed accounts on the Dark Web didn’t have 2FA enabled.

“The samples provided by the threat actors were related to compromised access credentials that belong to various consumers and enterprises, and which grant access to the AnyDesk customer portal. As a security measure, the threat actor sanitized some of the passwords. The threat actor offered 18,317 accounts for $15,000 to be paid in cryptocurrency.” reported Resecurity. “He also agreed to make a deal via escrow on Exploit. Resecurity reached out to the majority of the contacts identified as potential victims and confirmed they had used AnyDesk products recently or long ago. The threat actor didn’t share any additional information.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AnyDesk)