Dive Brief:
- AnyDesk was hit by a cyberattack that compromised its production systems, the company said Friday in a blog post.
- The company said it immediately responded to the attack, which did not involve ransomware, by revoking and replacing an array of security certificates. AnyDesk did not say when or how it became aware of the attack and did not immediately respond to requests for comment.
- “We have revoked all security-related certificates and systems have been remediated or replaced where necessary," AnyDesk said in the blog post. "We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”
Dive Insight:
AnyDesk, a widely used remote monitoring and management tool, is frequently targeted by threat actors seeking access to managed service provider services and their respective customers, according to cyber authorities.
AnyDesk is used by more than 170,000 customers globally, according to the privately held Florida-based company.
Exploitation of and attacks involving RMM software present a growing risk to SMBs, according to the Cybersecurity and Infrastructure Security Agency.
Attackers exploited legitimate RMM tools, such as AnyDesk, to target federal employees in a widespread campaign starting in June 2022, authorities said in a joint cybersecurity advisory last January.
“At this time, the Huntress research team feels the most salient risk resulting from this breach is the potential compromise of AnyDesk’s code signing certificate,” Matt Kiely, principal security researcher at Huntress, said via email. “If the certificate has been stolen, a threat actor could sign a malicious payload with the stolen signing certificate to potentially evade detection.”
Alex Stamos, chief trust officer at SentinelOne, criticized AnyDesk for disclosing the attack late Friday. “From the changelog, it’s clear that they knew this on Jan. 29 but didn’t announce until the end of the day on a Friday. Not cool,” Stamos said Saturday in a LinkedIn post.
Stamos also questioned AnyDesk’s insistence that its install base is secure, despite having its code signing certificate stolen during the attack.
AnyDesk said it revoked all passwords to its web portal as a precautionary measure and encouraged customers to change their passwords if the same credentials are used elsewhere.
“To date, we have no evidence that any end-user devices have been affected,” the company said in the blog post. “We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate.”