Hackers hacked AnyDesk’s work servers and reset passwords
AnyDesk has confirmed that it recently suffered a cyberattack that allowed hackers to gain access to the company’s production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack.
AnyDesk is a remote access solution that enables users to remotely access computers over a network or the Internet. The program is very popular among enterprises that use it for remote support or to access hosted servers.
The software is also popular among attackers, who use it to gain permanent access to compromised devices and networks.
The company reports 170,000 customers, including 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS and the United Nations.
In a statement sent to BleepingComputer, AnyDesk said they first became aware of the attack after detecting signs of an incident on their work servers. After conducting a security audit, it was determined that their systems were compromised and a response plan was activated with the help of cybersecurity firm CrowdStrike.
The company did not share details about whether data was stolen in the attack. However, BleepingComputer learned that the attackers stole the source code and code signing certificates.
The company also confirmed that no ransomware was involved, but did not provide too many details about the attack. They just said that their servers were hacked.
AnyDesk says it has revoked security-related certificates and fixed or replaced systems where necessary.
They also assured customers that AnyDesk is safe to use and that there is no evidence that the incident affected end-user devices.
“We can confirm that the situation is under control and it is safe to use AnyDesk. Please make sure you are using the latest version with the new code signing certificate.” – said in the public statement of AnyDesk.
Although the company claims that the authentication tokens were not stolen, as a precaution, AnyDesk revokes all passwords to its web portal and offers to change the password if it is used on other sites.
“AnyDesk is designed in such a way that session authentication tokens cannot be stolen. They exist only on the end user’s device and are associated with the device’s fingerprint. These tokens never touch our systems.” AnyDesk said in a comment to BleepingComputer.
The company has already started replacing the stolen code signing certificates. Gunter Born of BornCity first reported that they were using the new certificate in AnyDesk version 8.0.8 released on January 29th.
The only change listed in the new version is that the company has switched to a new code signing certificate and will soon be revoking the old one.
BleepingComputer looked at previous versions of the software and the old executables were signed under the name “philandro Software GmbH” with serial number 0dbf152deaf0b981a8a938d53f769db8. The new version is now signed by “AnyDesk Software GmbH” with serial number 0a8177fcd8936a91b5e0eddf995b0ba5 as shown below.
Certificates are usually not revoked unless they have been compromised, such as stolen in attacks or made public.
Although AnyDesk did not say when the breach occurred, Bourne said AnyDesk experienced a four-day outage starting on January 29, during which the company disabled the ability to log into the AnyDesk client.
“my.anydesk II is currently undergoing maintenance which is expected to last for the next 48 hours or less. You can still access and use your account as normal. Login to the AnyDesk client will be restored after the service is completed.” – it says on the AnyDesk status message page.
Access was restored, allowing users to log into their accounts, but AnyDesk did not provide any reasons for support in status updates. However, the company confirmed to BleepingComputer that this service is related to a cybersecurity incident.
We strongly recommend all users to upgrade to the new version of the software as the old code signing certificate will be revoked soon.
Additionally, while AnyDesk claims no passwords were stolen in the attack, attackers gained access to work systems, so all AnyDesk users are advised to change their passwords. If they use their AnyDesk password on other sites, they should change it there as well.
Previously, ProIT told how the Ukrainian IT Army paralyzed the work of the Russian 1C-Rarus.
We also wrote about who is behind the attack on “Kyivstar” and how Ukraine can resist hackers.
Subscribe to ProIT on Telegram so you don’t miss a single oneoh publicationeat!