AnyDesk hacked was the announcement made today, revealing a recent cyberattack that penetrated the company’s production systems. This breach resulted in the theft of both source code and private code signing keys.
Renowned for enabling users to access computers remotely across networks or the internet, AnyDesk’s software is a preferred choice not only among enterprises for remote support and managing colocated servers but also among cybercriminals seeking persistent access to compromised devices and networks.
With a client base that includes major names like 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and the United Nations, the company boasts over 170,000 customers worldwide.
How AnyDesk hacked
Late Friday afternoon, AnyDesk communicated to BleepingComputer, revealing an initial hint of the AnyDesk hacked situation through abnormal activities observed on their production servers. A comprehensive security analysis, with support from cybersecurity specialists at CrowdStrike, validated the breach of their systems, propelling the implementation of a detailed response plan.
Though AnyDesk refrained from providing detailed accounts of data compromise, BleepingComputer disclosed that the perpetrators absconded with source code and code signing certificates. The company further explained that ransomware was not a component of this cyberattack, instead choosing to concentrate on outlining their response efforts without delving into the specifics of the cyberattack’s methodology.
In reaction to the incident, AnyDesk undertook significant steps to invalidate the compromised security certificates and either restore or replace affected systems. Reassuring its users about the integrity of the software, AnyDesk declared no apparent risk to end-user devices post the AnyDesk hacked episode.
AnyDesk maintains that no authentication tokens were compromised; however, as a precautionary measure, the company is revoking all passwords to their web portal and advises users to change their passwords if the same ones are used elsewhere.
“AnyDesk is designed in a way which session authentication tokens cannot be stolen. They only exist on the end user’s device and are associated with the device fingerprint. These tokens never touch our systems. We have no indication of session hijacking as to our knowledge this is not possible,” AnyDesk told BleepingComputer.
The process of updating to new code signing certificates is already underway, highlighted by Günter Born of BornCity, who noted the introduction of a new certificate in AnyDesk version 8.0.8, issued on January 29th. The update primarily encompasses the transition to this new code signing certificate, with intentions to revoke the previous one shortly.
Every detail about the Equifax data breach extension
Earlier software versions, along with old executables, were authenticated under ‘philandro Software GmbH’ with the serial number 0dbf152deaf0b981a8a938d53f769db8. Contrastingly, the latest version bears the signature of ‘AnyDesk Software GmbH,’ identifiable by a new serial number, 0a8177fcd8936a91b5e0eddf995b0ba5, underscoring the security measures in place.
Certificates typically remain valid unless a compromise occurs, such as theft during cyberattacks or accidental exposure. Although AnyDesk has not specified the exact timing of the breach, Born highlighted a significant four-day service interruption starting January 29th. During this period, AnyDesk disabled login capabilities to the client, suggesting immediate steps taken to mitigate the breach’s impact.
“my.anydesk II is currently undergoing maintenance, which is expected to last for the next 48 hours or less. You can still access and use your account normally. Logging in to the AnyDesk client will be restored once the maintenance is complete.” states the AnyDesk status message page.
Yesterday, access to to the platform was restored, allowing users to log in to their accounts once more after the AnyDesk hacked incident. While the company did not specify the maintenance reason in their status updates initially, they later confirmed to BleepingComputer that it was directly related to addressing the cybersecurity breach.
In the wake of the AnyDesk hacked incident, it is strongly recommended that all users transition to the new version of the software, particularly since the old code signing certificate is set to be revoked soon. Moreover, despite AnyDesk’s assurances that passwords were not directly compromised during the breach, the unauthorized access to production systems raises significant security concerns. Consequently, it is prudent for AnyDesk users to change their passwords without delay, and similarly update their credentials on other sites where the same passwords have been used.
This incident is part of a worrying trend of cyberattacks against renowned companies. Notably, Cloudflare disclosed a breach occurring on Thanksgiving, linked to authentication keys stolen during the previous year’s Okta cyberattack. Additionally, Microsoft recently revealed an intrusion by Russian state-sponsored hackers named Midnight Blizzard, who had also targeted HPE in May, illustrating the persistent and sophisticated nature of threats
Featured image credit: James Harrison/Unsplash