AnyDesk, a remote desktop software provider, has confirmed that it experienced a cyberattack resulting in unauthorized access to its production systems. As a result, the company was forced to implement security measures and suspend operations for nearly a week.
Millions of IT professionals rely on AnyDesk’s software to establish fast and remote connections with their clients’ devices, primarily for technical assistance purposes. According to its website, AnyDesk boasts a customer base of over 170,000, which includes prominent companies like Comcast, LG, Samsung, and Thales.
Threat actors and ransomware gangs frequently use the software to gain and maintain access to a victim’s computer and data. According to a report from the U.S. cybersecurity agency CISA in January, hackers had gained access to federal agencies through the use of reliable remote desktop programs like AnyDesk.
Reports of a potential breach started circulating last Monday when AnyDesk made an announcement about changing its code-signing certificates. These certificates are crucial for companies to safeguard their code from unauthorized modifications by hackers. After experiencing a prolonged outage, AnyDesk released a statement on Friday acknowledging the discovery of compromised production systems.
As part of its incident response, AnyDesk has taken several measures to address the issue. This includes revoking security-related certificates, remedying or replacing systems as needed, and invalidating all passwords to the customer web portal.
The company announced on Friday that they will soon revoke the previous code signing certificate for their binaries and have already begun the process of replacing it with a new one.
AnyDesk stated that the incident is unrelated to ransomware, although they did not provide details about the specific nature of the cyberattack.
No response was received from Matthew Caldwell, a spokesperson for AnyDesk, in regards to an email. CrowdStrike, in collaboration with AnyDesk, chose not to respond to inquiries on Monday regarding the cyberattack remediation.
AnyDesk did not provide a response regarding inquiries about potential access to customer data. However, the company stated that there is no evidence of any impact on end-user systems.
According to AnyDesk, they have confirmed that the situation is under control and users can safely utilize their services. Please make sure you are using the most recent version, which includes the updated code signing certificate.
AnyDesk has received criticism for its response to the cyberattack thus far. According to German blogger Günter Born, AnyDesk initially referred to the four-day disruption that occurred from January 29 as “maintenance,” during which users were unable to log in. Jake Williams, an experienced incident responder, criticized AnyDesk on X for what he perceived as a strategic move to disclose the cyberattack to customers right before the weekend.
Security researchers have observed the sale of AnyDesk account access on cybercrime forums. However, it is important to note that the stolen account details are most likely obtained from previous malware infections that involve password-stealing malware on a user’s computer.