AnyDesk says hackers breached its production servers, reset passwords

Trending 4 weeks ago

AnyDesk logo complete a information center

AnyDesk confirmed coming that it suffered a caller cyberattack that allowed hackers to summation entree to nan company's accumulation systems. BleepingComputer has learned that root codification and backstage codification signing keys were stolen during nan attack.

AnyDesk is simply a distant entree solution that allows users to remotely entree computers complete a web aliases nan internet. The programme is very celebrated pinch nan enterprise, which usage it for distant support aliases to entree colocated servers.

The package is besides celebrated among threat actors who usage it for persistent entree to breached devices and networks.

The institution reports having 170,000 customers, including 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and nan United Nations.

AnyDesk hacked

In a connection shared pinch BleepingComputer precocious Friday afternoon, AnyDesk says they first learned of nan onslaught aft detecting indications of an incident connected their merchandise servers. 

After conducting a information audit, they wished their systems were compromised and activated a consequence scheme pinch nan thief of cybersecurity patient CrowdStrike.

AnyDesk did not stock specifications connected whether information was stolen during nan attack. However, BleepingComputer has learned that nan threat actors stole root codification and codification signing certificates.

The institution besides confirmed that nan onslaught did not impact ransomware but didn't stock excessively overmuch accusation astir nan onslaught different than saying their servers were breached, pinch nan advisory chiefly focusing connected really they responded to nan attack.

As portion of their response, AnyDesk says they person revoked security-related certificates and remediated aliases replaced systems arsenic necessary. They besides reassured customers that AnyDesk was safe to usage and that location was nary grounds of end-user devices being affected by nan incident.

"We tin corroborate that nan business is nether power and it is safe to usage AnyDesk. Please guarantee that you are utilizing nan latest version, pinch nan caller codification signing certificate," AnyDesk said successful a public statement.

While nan institution says that nary authentication tokens were stolen, retired of caution, AnyDesk is revoking each passwords to their web portal and suggests changing nan password if it's utilized connected different sites.

"AnyDesk is designed successful a measurement which convention authentication tokens cannot beryllium stolen. They only beryllium connected nan extremity user's instrumentality and are associated pinch nan instrumentality fingerprint. These tokens ne'er touch our systems, "AnyDesk told BleepingComputer successful consequence to our questions astir nan attack.

"We person nary denotation of convention hijacking arsenic to our knowledge this is not possible."

The institution has already begun replacing stolen codification signing certificates, pinch Günter Born of BornCity first reporting that they are utilizing a caller certificate successful AnyDesk type 8.0.8, released connected January 29th. The only listed alteration successful nan caller type is that nan institution switched to a caller codification signing certificate and will revoke nan aged 1 soon.

BleepingComputer looked astatine erstwhile versions of nan software, and nan older executables were signed nether nan sanction 'philandro Software GmbH' pinch serial number 0dbf152deaf0b981a8a938d53f769db8. The caller type is now signed nether 'AnyDesk Software GmbH,' pinch a serial number of 0a8177fcd8936a91b5e0eddf995b0ba5, arsenic shown below.

Signed AnyDesk 8.0.6 (left) vs AnyDesk 8.0.8 (right)Signed AnyDesk 8.0.6 (left) vs AnyDesk 8.0.8 (right)
Source: BleepingComputer

Certificates are usually not invalidated unless they person been compromised, specified arsenic being stolen successful attacks aliases publically exposed.

While AnyDesk had not shared erstwhile nan breach occurred, Born reported that AnyDesk suffered a four-day outage starting connected January 29th, during which nan institution abnormal nan expertise to log successful to nan AnyDesk client.

"my.anydesk II is presently undergoing maintenance, which is expected to past for nan adjacent 48 hours aliases less," sounds the AnyDesk position connection page.

"You tin still entree and usage your relationship normally. Logging successful to nan AnyDesk customer will beryllium restored erstwhile nan attraction is complete."

Yesterday, entree was restored, allowing users to log successful to their accounts, but AnyDesk did not supply immoderate logic for nan maintenance.

AnyDesk confirmed to BleepingComputer that this attraction is related to nan cybersecurity incident.

It is powerfully recommended that each users move to nan caller type of nan software, arsenic nan aged codification signing certificate will soon beryllium revoked.

Furthermore, while AnyDesk says that passwords were not stolen successful nan attack, nan threat actors did summation entree to accumulation systems, truthful it is powerfully advised that each AnyDesk users alteration their passwords. Furthermore, if they usage their AnyDesk password astatine different sites, they should beryllium changed location arsenic well.

Every week, it feels for illustration we study of a caller breach against well-known companies.

Last night, Cloudflare disclosed that they were hacked connected Thanksgiving utilizing authentication keys stolen during last years Okta cyberattack.

Last week, Microsoft besides revealed that they were hacked by Russian state-sponsored hackers named Midnight Blizzard, who besides attacked HPE in May.