AnyDesk has detailed the timeline and impact of a recent hacker attack on its systems.
The breach was detected in mid-January, with the initial intrusion traced back to late December 2023.
The attackers did compromise production systems.
The incident was not a ransomware attack, nor was there an extortion attempt. AnyDesk also stated that reports of user credentials on the dark web were not due to this breach but rather due to malware on customer systems, a risk which the password reset aims to mitigate.
Impact
AnyDesk has found no evidence that attackers accessed customer credentials or distributed malicious AnyDesk software versions. The company has found no malicious code in their software and is revoking compromised certificates, releasing updates with new ones.
Details
As a precaution, AnyDesk is enforcing a password reset for all customers, even though the likelihood of credential theft is considered low. They confirmed the compromise of two European relay servers but have ruled out the possibility of user session hijacking.
Communication
AnyDesk has not released any specific details about how the breach occurred, nor what the attackers had attempted to achieve.
Theirs comms on this incident have been garbage, with an initial attempt to gloss over the outage asĀ maintenance activity.
In the end, they have stuck with the messaging that “no evidence that any end-user devices have been affected”. Which is good to know, but it doesn’t mitigate concerns about how the code signing certificate was compromised.
They have released 2 public statements on their blog about the incident, which can be found here under the Official Statements list.
Opinion
Platforms like AnyDesk are at the top of the hit list by attackers. It is a common tool used to access and exploit end users, and a breach in the companies platform would enable supply chain attacks on over 170,000 end users.
This incident involved the signing certificate being compromised, which is a serious breach of the platforms’ security. The certificate would enable attackers to release a compromised version of the application.
It would be interesting to know just how AnyDesk protects (didn’t protect) its certificates, and how many staff members / systems have access to the certs. It is a safe bet that the certificates are involved in the CI/CD workflow, and these are the sorts of systems that attackers target. Including the developers that work with the dev pipeline.