AnyDesk reported hacking servers and resetting user passwords

AnyDesk reported hacking servers and resetting user passwords

Remote access solutions company AnyDesk has confirmed that it suffered a cyberattack that allowed hackers to gain access to the company’s production systems. The source code and secret code signing keys were stolen during the attack.

AnyDesk became aware of the attack after detecting signs of an incident on production servers. A security audit revealed that the systems had been compromised. AnyDesk then took action with the help of cybersecurity firm CrowdStrike.

AnyDesk revoked security-related certificates and, if necessary, repaired or replaced system components. Customers have been assured that AnyDesk remains safe to use and that the incident did not affect end users’ devices.

“Make sure you’re using the latest version with the new code signing certificate,” the company said in a public statement.

For security reasons, AnyDesk recalls all passwords to its web portal and offers to change them if they are used on other sites. The company notes that session authentication tokens in AnyDesk cannot be stolen because they only exist on the end device.

BleepingComputer examined previous versions of the software and found that the old files were signed with the name “philandro Software GmbH” and the serial number 0dbf152deaf0b981a8a938d53f769db8. The new version is signed by AnyDesk Software GmbH and has serial number 0a8177fcd8936a91b5e0eddf995b0ba5 as shown below. Certificates are usually not revoked unless they have been compromised, such as stolen or disclosed.

AnyDesk users experienced a service outage for four days starting on January 29. The company confirmed that maintenance measures were taken in response to the incident.

Earlier, Recorded Future presented a report which claims that the GitHub platform is becoming an increasingly popular tool for hackers. It is used for placement and distribution of harmful substances. The “Living Off Trusted Sites” (LOTS) tactic allows hackers to disguise their actions as legitimate network traffic, making it difficult for attackers to track and identify them.

Related posts