AnyDesk reports production systems breach, credentials for sale

AnyDesk, a major remote access software provider serving 170,000 clients worldwide has acknowledged a breach in its production systems.

The security breach came to light after the company initiated unexpected maintenance, leading to a three-day period of login failures for its clients. A changelog entry from January 29 hinted at the revocation of a previously issued code signing certificate, suggesting a potential compromise of this certificate.

In the security advisory released late on February 2, AnyDesk disclosed that a security audit was prompted by signs of unauthorized activity on its systems. This audit confirmed that their production systems had indeed been compromised. AnyDesk mobilized a comprehensive remediation plan, enlisting the aid of cybersecurity firm CrowdStrike to address the issue.

Update - as of 9th of February, AnyDesk disclosed further details of a hacker attack, revealing that its systems were first breached in late December 2023, with the intrusion detected in mid-January. The forensic investigation found that production systems were compromised, but there's no evidence of customer credentials being stolen or malicious versions of the AnyDesk software being distributed.

The company has reviewed its code, found no malicious modifications, and is revoking and updating certificates as a precaution. Although it's considered unlikely that attackers obtained user credentials, AnyDesk is enforcing a password reset for all customers due to a theoretical risk.

The breach involved the compromise of two European relay servers, raising concerns about potential malicious software distribution and password theft, though AnyDesk confidently excludes the possibility of user session hijacking.

The incident is not related to ransomware or extortion attempts, and reports of user credentials being sold on the dark web are attributed to information-stealing malware, not the breach itself. The password reset aims to mitigate risks for customers affected by such malware.

Despite the serious nature of the incident, AnyDesk assured users that no ransomware was involved and that there was no evidence to suggest any end-user devices had been impacted. The company stressed that the situation was under control and reassured customers of the safety of using AnyDesk, provided they update to the latest version featuring a new code signing certificate.

Code signing certificates are critical in software security, serving as a digital signature to authenticate and secure software installations. When compromised, these certificates can be exploited to disguise malware as legitimate software, thus breaching trust with operating systems and users.

Although AnyDesk stopped short of confirming the theft of its certificate directly, the incident raises concerns about the potential misuse of the compromised certificate to sign malicious software.

Following the discovery of the breach, AnyDesk revoked all affected security certificates and took necessary steps to secure its systems, including plans to revoke the compromised code signing certificate. The company also took the precaution of resetting all passwords to its web portal, advising users to change their passwords if reused elsewhere.

Details on the specific nature of the compromise and any potential Indicators of Compromise (IoCs) were not disclosed by AnyDesk, leading to criticism from security professionals for the timing and lack of transparency in their communication.

Update - After AnyDesk's production systems were compromised, resulting in 18,000 user credentials being offered for sale on hacker forums, the company mandated a password reset for all customers on my.anydesk.com to protect their accounts.