Corporate users getting tricked into downloading AnyDesk
Hackers are leveraging the AnyDesk remote desktop application in a phishing campaign targeting employees, Malwarebytes warns.
The AnyDesk phishing campaign
In a phishing campaign recently discovered by Malwarebytes researchers, attackers targeted potential victims via email or SMS, personalized to match their roles within the organization.
But instead of phishing for information directly from the victims, the attackers aimed to make them download remote monitoring and management (RMM) software – in this case, and outdated (but legitimate) AnyDesk executable.
To make them do that, the victims were directed to newly registered websites mimicking various financial institutions and asked to download a “live chat application”.
The bogus website posing as Barclays’. (Source: Malwarebytes)
“Running the program will show a code that you can give to the person trying to assist you. This can allow an attacker to gain control of the machine and perform actions that look like they came directly from the user,” Malwarebytes researchers noted.
Unfortunately, many banking sites cannot detect if a customer is running a remote access program while trying to log in, and sometimes threat actors manage to evade these detections (when present).
Hackers love using RRM software
Phishing campaigns leading victims to download RMMs are not new and have been seen targeting even government agencies.
The popularity and common usage of RMMs (such as AnyDesk and ConnectWise Control) within organizations have caught the attention of cybercriminals that see them as a useful tool they can leverage to breach a network and access sensitive data.
AnyDesk has also recently suffered a data breach that compromised its production systems. Given its widespread use among various organizations, such an incident could have significant consequences.
To avoid legitimate tools being leveraged by attackers, organizations are advised to:
- Update and continuously monitor their software inventory
- Consider removing unnecessary tools
- Restrict tools that could aid exploitation (usage approval needs to have a time limit)
- Recognise usual workstation activity and flag anomalies
- Patch and update regularly