AnyDesk, a widely used remote desktop software, recently experienced a significant security breach that forced the company to take drastic measures to protect its users and infrastructure. The breach was discovered following a security audit prompted by suspicious activity, revealing that AnyDesk’s production systems had been compromised. Although the company clarified that the incident was not related to ransomware, the specifics of the cyberattack were not disclosed.
In response to the breach, AnyDesk revoked all security-related certificates and replaced or remediated affected systems. The company also invalidated all passwords to its customer web portal and urged users to update their passwords, especially if the same credentials were used elsewhere. Additionally, AnyDesk called in cybersecurity firm CrowdStrike to assist with the investigation and remediation of the incident.
The breach’s discovery followed AnyDesk’s decision to swap its code-signing certificates, which are crucial for preventing unauthorized tampering with the software’s code. This move was initially attributed to “maintenance” but was later revealed to be a part of the company’s response to the cyberattack.
Despite the breach, AnyDesk reassured its users that there is no evidence of any end-user systems being affected and claimed the situation was under control. The company emphasized the importance of using the latest version of their software, equipped with the new code signing certificate, to ensure security.
However, the breach has raised concerns about the potential misuse of compromised AnyDesk credentials. Security researchers have observed that hackers are selling access to AnyDesk accounts purportedly affected by the breach on cybercrime forums. While these account details are likely from previous malware infections rather than the breach itself, the situation underscores the risks of password reuse and the importance of using unique passwords for every application.
AnyDesk, which boasts over 170,000 customers, including high-profile organizations like Nvidia, Siemens, and the United Nations, provides remote control capabilities, VPN, and file transfer features. The breach’s implications could be far-reaching, highlighting the need for robust cybersecurity measures such as multifactor authentication to protect against unauthorized access.
AnyDesk Certificate KQL search
let Timeframe = 7d; // Choose the best timeframe for your investigation
let SuspiciousAnydeskFileCertificate = DeviceFileCertificateInfo
| where Timestamp > ago(Timeframe)
| where CertificateSerialNumber =~ "0dbf152deaf0b981a8a938d53f769db8" // Compromised Certificate Serial Number
| where Issuer == "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
| project Timestamp, DeviceName, SHA1;
SuspiciousAnydeskFileCertificate
| join (DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where ProcessVersionInfoCompanyName !contains @"AnyDesk"
| project SHA1, ActionType, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessCommandLine, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
)on SHA1
| sort by Timestamp desc