What Happened?
On February 2nd, 2024, the RMM vendor AnyDesk disclosed that they had detected indications of an incident impacting production environments in mid-January. The announcement confirmed that that they had engaged security professionals from CrowdStrike, a leading XDR vendor to execute their incident response strategy, which AnyDesk completed a week later on February 9th.
As part of this strategy, AnyDesk revoked every user’s web portal password, as well as their security certificates and code signing certificates used for AnyDesk’s binaries. The vendor also remediated and replaced compromised production systems as needed. MSPs using AnyDesk should update their software to avoid outdated certificates.
Key Takeaways
According to AnyDesk’s communications, this incident did not impact end user credentials or personal data, since they claim, “not to store private keys, security tokens, or passwords that could be exploited to connect to end-user devices,” and to transmit credentials from the AnyDesk client using TLS/SSL encryption through a relay server.
While a February 4th report from researchers at the security services firm Resecurity indicated that threat actors were selling over 18,000 compromised AnyDesk customer credentials on the dark web, AnyDesk’s report claims that these credentials were from malware infostealers targeting end user devices, and not AnyDesk corporate environments. However, AnyDesk has initiated customer portal password resets “as a precaution.”
On February 6th, ThreatLocker warned AnyDesk users in its audience that the compromised versions used a signature published by “philandro Software GmbH”, and is associated with a serial number: “0dbf152deaf0b981a8a938d53f769db8”.
Why This Matters to MSPs
Although ransomware and extortion were not involved in this incident, the AnyDesk hack shines a light on the ongoing risks that an RMM poses, despite being a key element of any MSP’s technology stack. In coverage of this incident alone, channel media has already cited a CISA advisory from January 2023 of threat actors using legitimate RMM software (including AnyDesk and ConnectWise ScreenConnect or Control) to establish persistence, communicate with Command and Control servers, and deploy malicious software without dealing with “common software controls and risk management assumptions.”
Next Steps
CyberQP’s security experts recommend that concerned MSPs and end users take the following actions to mitigate their risk:
- Update your AnyDesk Windows client to version 7.0.15 or 8.0.8. macOS users should update to version 8.0.0. All AnyDesk customers should also update their custom and on-premises clients when a new version with updated security/code-signing certificates releases.
- If you’re not sure if you have the latest AnyDesk certificates, you can use their guidance here to confirm you have legitimate certificates. These certificates will be published by “AnyDesk Software GmbH” and the serial number “0a8177fcd8936a91b5e0eddf995b0ba5”.
- If you’re concerned about compromised end user credentials or other sensitive data, you can use your EDR/XDR platform to detect and remediate any information-stealing malware, as well as resources like HaveIBeenPwned.com to identify if key public-facing accounts have been breached.
To get more threat briefings like these in your inbox, and the latest reports on identity-centric threats as they happen, you can sign up for the MSP Incident Insights email newsletter here!
