Pierluigi Paganini
January 21, 2025
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyber scams involving threat actors impersonating the agency by sending fraudulent AnyDesk connection requests under the guise of security audits.
CERT-UA pointed out that it uses the software AnyDesk in some cases, but only with prior approval via official channels.
“The Ukrainian government’s computer emergency response team, CERT-UA, has received information about numerous cases of attempts to connect to computers using the AnyDesk program, allegedly on behalf of CERT-UA.” reads the advisory published by CERT-UA. “Thus, unidentified individuals send requests to connect to AnyDesk under the pretext of conducting a “security audit to check the level of security”, using the name “CERT.UA”, the CERT-UA logo, and the AnyDesk identifier “1518341498” (may change).”
Threat actors are attempting to use social engineering techniques by exploiting the trust of local entities in the authority.
The threat actors need to have the victim’s AnyDesk ID to carry out the attack and the software must be active on the target systems. The researchers explained that attackers can retrieve a compromised ID from “prior unauthorized access on other devices or circumstances.”
CERT-UA recommends enabling remote access software only during active use, confirming remote work through official channels, and reporting anomalies promptly.
At present, CERT-UA has not attributed the attacks to any Russian APT group active against Ukraine since the start of the conflict (e.g. UAC-0010, UAC-0050 and UAC-0006). The alert also does not specify the targets of the attack, information that could provide useful insights into the attackers’ motivations and help attribute the campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ukraine)
