AnyDesk hacked: 170,000-customer firm confirms breach

AnyDesk hacked: 170,000-customer firm confirms breach

AnyDesk, a distant obtain software package firm primarily based in Germany with 170,000 shoppers globally, which includes Comcast and Thales, has confirmed its manufacturing programs had been compromised in a security incident. 

The enterprise experienced remaining buyers sweating for three days after client logins unsuccessful and it notified them of unplanned servicing. A changelog confirmed it invalidated a former code signing certificate on January 29.

Germany’s BSI warned soon after the incident that “doable leakage of the supply code and certificates poses a danger of that this information could be employed for further assaults on the provider’s shoppers.”

anydesk breach

In a late Friday, February 2 safety advisory, AnyDesk explained: “Following indications of an incident on some of our devices we carried out a stability audit and observed proof of compromised creation devices.

“We quickly activated a remediation and reaction program involving cyber security professionals CrowdStrike…”

AnyDesk hacked: No ransomware, no information

The incident was not related to ransomware, it added.

AnyDesk, started in 2014 and with shoppers in 190 international locations, included: “We have no evidence that any finish-person equipment have been affected. 

“We can ensure that the problem is under control and it is safe to use AnyDesk. Remember to ensure that you are employing the most current model, with the new code signing certificate” it included, in a distinctly depth-thin report.

Code-signing certificates, issued by a reliable third social gathering, these kinds of as a certification authority, consist of info about software. When it is installed, an Functioning System checks a signature towards the certification to make sure it has not been tampered with. If it has, it can be used to sign malware – leaving units pondering it arrived from a dependable supply.

Stability researcher Florian Roth, who quickly developed a YARA rule to detect binaries that are signed with a possibly compromised AnyDesk signing certificate even ahead of the firm confirmed the incident, noted on Xthat he experienced discovered “over 2300+ binaries signed with that certificate…”

AnyDesk explained: “We have revoked all safety-relevant certificates and techniques have been remediated or changed in which vital. We will be revoking the preceding code signing certificate for our binaries shortly… 

“Our systems are created not to shop private keys, safety tokens or passwords that could be exploited to link to conclude person products. 

“As a precaution, we are revoking all passwords to our internet portal,, and we suggest that customers improve their passwords if the same credentials are employed in other places,” it extra in its update.

Rumours of an AnyDesk hack lifted hackles extensively due to the fact of the scale of downstream problems that can be completed if a distant computer software service provider receives strike. July 2021’s assault on Kaseya is a potent situation in issue. A menace team used vulnerabilities in computer software from the remote access business to hack 50+ MSPs that made use of its products and solutions – piggybacking on that accessibility in change to strike more than 1,500 downstream MSP customers with ransomware.

AnyDesk did not share any far more facts nor any Indicators of Compromise and dumped the advisory at 11pm German time.

Protection expert Jake Williams pointed out on X: “This should not be coming out on a Friday afternoon when they took programs offline days ago. This is a PR shift. Companies that are becoming transparent never engage in these shenanigans.

He included: “Threat hunt in your ecosystem wherever you experienced AnyDesk set up for anomalous exercise over at minimum the final 30 times. When the intrusion vector isn’t really being shared, you have to presume they do not but know. Even if they know, it’s commonly a leap to say what was accessed. Imagine about it: do you believe a menace actor jumped onto just one machine and pulled a code signing cert and that’s it? No? Oh, okay. Take into consideration disabling AnyDesk in your natural environment, possibly by disabling the agent by means of GPO or blocking at a community stage right up until extra is acknowledged. I really don’t have any inside information on this unique incident. But I’ve worked a lot of incidents in my day and the reporting on this a single stinks to high heaven.”

In an advisory published in German on February 5, BSI additional: “Person-in-the-middle and source chain attacks are conceivable in this context [as a result of the breach…] these could go unnoticed or, in the worst situation, currently assaults may have gone undetected. The measures carried out by the operator drastically minimize the latest hazard potential. On the other hand, it are not able to be ruled out that destructive versions of the program, signed with the compromised certification, are supplied or focused by attackers on 3rd-get together websites despatched to clients…”