Backer using laptop and monitor showing cyber attack leaked code signing certificates

AnyDesk Cyber Attack Compromised Production Systems and Leaked Code Signing Certificates

Popular remote monitoring and management software firm AnyDesk has suffered a cyber attack that compromised its production systems and leaked source code and code signing certificates.

The remote access software developer learned of the cyber intrusion after detecting “indications of an incident” on its systems starting in mid-January.

The company activated a remediation and incident response plan with cybersecurity firm CrowdStrike and notified relevant authorities. A subsequent investigation determined that the suspicious activity started in December 2023.

AnyDesk also suffered a four-day outage beginning January 29, 2024, which prevented AnyDesk client login and was related to the cyber incident.

AnyDesk revokes code signing certificates after a cyber attack

AnyDesk responded by revoking all code signing certificates to mitigate the impact of the cyber attack.

Code signing certificates confirm that the software originated from a verified publisher and the binaries were not modified after the certificate was applied.

“We have revoked all security-related certificates, and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one,” said AnyDesk.

So far, AnyDesk has no evidence that the threat actors compromised customer data or devices or deployed ransomware during the cyber attack.

“Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end-user devices,” explained AnyDesk.

Subsequently, the company revoked the web portal passwords as a precaution and advised users to “change their passwords if the same credentials are used elsewhere.”

Nevertheless, AnyDesk Software assures its customers that the situation is under control and that the cyber attack did not compromise the integrity of its software.

“To date, we have no evidence that any end-user devices have been affected. We can confirm that the situation is under control and it is safe to use AnyDesk,” reported AnyDesk.

AnyDesk Software has advised customers to use “the latest version with the new code signing certificate.” New versions since AnyDesk Client 8.0.8, released on January 29, 2024, have applied the new code signing certificates, awaiting revocation of the old ones.

Similarly, the remote access software company has advised customers against downloading software or updates from unsecured third parties.

However, the company has allayed fears of supply chain attacks from the leaked code signing certificates. So far, no compromised “software have been or are being distributed,” the company said.

Matt Sparrow, Senior Intelligence Operations Analyst at Centripetal, predicted that the cyber attack will definitely “have very significant consequences for many organizations worldwide.”

However, Sparrow noted that AnyDesk’s prompt detection and revocation of code signing certificates is “what a prepared security team should be prepared to do” and “is exactly the kind of action” that limits impacts on users.

AnyDesk credentials listed for sale on the dark web

Cyber security and threat intelligence firm Resecurity has discovered 18,000 AnyDesk customer credentials listed for sale on the popular hacking forum Exploit[.]in following the cyber attack.

AnyDesk has acknowledged learning that its user credentials were circulating on the dark web but denied that the leak stemmed from the cyber attack.

“We have become aware that credentials for AnyDesk customer accounts are circulating on the Darknet. These credentials were not exfiltrated from AnyDesk systems and are not related to the incident,” said AnyDesk.

AnyDesk, Resecurity, SOS Intelligence, and Hudson Rock all agree that the leaked credentials were harvested via stealer malware infections on end-user devices.

When abused, the stolen credentials could allow threat actors to obtain customers’ connection information and personal details. This information is invaluable for cyber attacks and targeted phishing.

Regarding the use of leaked credentials, AnyDesk said it could not “rule out the theoretical possibility for a short period of time.”

However, the monumental effort required and the short timeline make the possibility highly unlikely.

“… attackers would have had to rewrite the very extensive code of our software in the very short time available, trick users into using a fake version of our software, and then have them enter their password. This seems unlikely, although not impossible,” said AnyDesk.

The leaked credentials were also invalidated after AnyDesk forced a password reset on ‘my.anydesk.com’.

In addition to security measures recommended by AnyDesk, Resecurity has advised users to utilize the whitelisting feature to allow only trusted devices, enable multi-factor authentication, and monitor accounts for suspicious activity.