TLDR:
- Remote desktop software provider AnyDesk experienced a cyberattack that compromised its production systems.
- The attackers stole source code and private code signing keys, but there is no evidence that user devices were affected.
- AnyDesk has revoked all security certificates and passwords and has implemented remediation measures.
Popular remote desktop software provider AnyDesk has confirmed that its production systems were compromised in a cyberattack. The attackers were able to steal source code and private code signing keys and gain access to the company’s production systems. AnyDesk immediately activated a remediation and response plan with the help of cybersecurity experts CrowdStrike. The company believes the threat actor is now out of its network and has revoked all security-related certificates and web portal passwords.
The hack did not involve ransomware, and AnyDesk has found no evidence that end-user devices were affected. The company’s systems are designed not to store private keys, security tokens, or passwords that could be exploited to connect to end-user devices. AnyDesk assures users that it is safe to use the software but recommends updating to the latest version and changing passwords if the same credentials are used elsewhere.
However, two days after AnyDesk’s public statement, cybersecurity firm Resecurity discovered that multiple threat actors are selling compromised AnyDesk login credentials on both the clear and dark web. One of these threat actors listed over 18,000 AnyDesk customer credentials for sale on a prominent dark web forum. Resecurity and other threat intelligence providers believe that these compromised credentials are the result of end customer compromise via stealer malware, rather than the direct breach of AnyDesk’s systems.
Resecurity argues that cybercriminals familiar with the initial incident are rushing to monetize the available customer credentials before users take proactive measures to reset their credentials. AnyDesk’s maintenance period from January 29 to February 1 likely prevented many customers from changing their access credentials, allowing bad threat actors to access details about customers. AnyDesk recommends that users contact the company for more information on their potential impact and advises them to change passwords, use whitelisting and multifactor authentication, and monitor customer accounts for suspicious activity.