AnyDesk’s Cybersecurity Breach: Unveiling the Recent Attack

AnyDesk, a widely used remote desktop software, recently announced a significant breach within its production environment. Despite the unsettling access gained by hackers, AnyDesk assured its user base that no authentication tokens were compromised, as these crucial elements reside solely on the user’s device, tethered to its unique fingerprint.

In a proactive move to fortify security, AnyDesk has invalidated all web portal passwords and urged users to adopt new ones, particularly if the same passwords are utilized across multiple platforms. This measure accompanies the revocation of all prior code signing certificates, a critical step in safeguarding the software’s integrity.

For the technically inclined, AnyDesk shared a query that could be used to identify executables in one’s environment signed with the soon-to-be-revoked certificate. This query allows users to identify prior versions of the AnyDesk client that might still be using the older certificate, enhancing their security awareness.

“Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end user devices. As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere,”  AnyDesk said in a statement.

The following query can be used to identify executables in your environment that have been signed with the older, to-be-revoked certificate (including prior versions of the Anydesk client):

((src.process.publisher in:anycase (‘PHILANDRO SOFTWARE GMBH’)) OR (tgt.process.publisher in:anycase (‘PHILANDRO SOFTWARE GMBH’)))

The company’s swift response included the rollout of the latest software update, version 8.0.8 for Windows users, embedding a new code signing certificate to replace the soon-to-be-revoked one. Users are strongly encouraged to update to this latest version to ensure their digital safety.

The company promptly conducted a security audit and engaged the services of cybersecurity experts, CrowdStrike, to remediate the situation. AnyDesk also cooperated closely with relevant authorities while emphasizing that the incident was not related to ransomware.

Source: Original Post