AnyDesk has been hacked, users urged to change passwords

AnyDesk Software GmbH, the German company behind the widely used (and misused) remote desktop application of the same name, has confirmed they’ve been hacked and their production systems have been compromised.

AnyDesk hacked

The statement was published on Friday evening and lacks technical details about the breach. The incident is not related to ransomware, they added.

What happened?

A few hours before AnyDesk’s revelation, security researcher Kevin Beaumont pointed to the possibility of AnyDesk having been hacked.

“They just had a several day authentication outage they describe as ‘planned maintenance’ (it wasn’t planned) and have now reemerged with a new client,” he noted: AnyDesk version 8.0.8, released on January 29, 2024, which has been signed with a new code signing certificate.

AnyDesk has called in cyberattack response services firm Crowdstrike to investigate and remediate the compromise, and their statement says they:

  • Will be soon be revoking the previous code signing certificate for their binaries
  • Have revoked all security-related certificates and systems have been remediated or replaced where necessary
  • Are revoking all passwords to their web portal (my.anydesk.com) and are recommending that users change their passwords

Even though AnyDesk obviously operates under the assumption that all security-related certificates and passwords have been stolen, the company claims that “the situation is under control and it is safe to use AnyDesk” and that they have no evidence that any end-user devices have been affected.

Should AnyDesk users worry?

German security blogger Günter Born has shared a number of cases reported by his readers about suspicious AnyDesk-related happenings in the past week, but many of them seem to have been “false alarms”. One, though, pointed to the (now confirmed) AnyDesk infrastructure changes following disruptions.

In related news, Resecurity has reported during the weekend about AnyDesk customer account credentials being offered for sale on cybercriminal forums, but they are apparently unrelated to the current breach (and have been compromised through the use of information-stealing malware).

Until AnyDesk shares more details about what was compromised and how, users should:

UPDATE (February 8, 2024, 04:05 a.m. ET):

AnyDesk has updated the document answering frequently asked questions about the incident, and says that the incident had started in late December 2023 and that it was not ransomware or an extortion attempt.

They have reiterated the need for users to update their AnyDesk version as soon as the updates are available, since they will be revoking the certificate(s) used to sign the previous versions, and users can do it without fearing compromise: “We have performed a review of our code and see no malicious modifications. We also have no evidence of malicious code being distributed to customers through any AnyDesk systems.”

They also said that they do not believe users’ passwords have been affected (and explained why), but that they have still forced a password reset for all customers.

“We have considered session hijacking in connection to the incident extremely unlikely from the very beginning. Now, we can rule it out with certainty,” they added.

“To perform session hijacking, the threat actor would have required a deep understanding of the source code and would also have had to modify it. This would not have been possible in the time available to them. We have also done a review of our code and see no malicious modifications. In addition, we have audited and remediated all of our servers.”

Don't miss