The compromise of AnyDesk, a prominent remote desktop application distributed by AnyDesk Software GmbH, has caused quite a stir in the cybersecurity domain. This disclosure raises concerns given the software’s proprietary nature, offering platform-independent remote access to personal computers and various devices.
On February 2, 2024, the company disclosed that a cyberattack on AnyDesk compromised production systems. The prospect of such software falling into the hands of cybercriminals is a significant source of concern, given its potential to provide unauthorized access to personal computers and other devices utilizing the host application.
The cyberattack on AnyDesk came to light through a public statement, detailing the results of a security audit conducted in response to indications of a breach.
“Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems. We immediately activated a remediation and response plan involving cybersecurity experts CrowdStrike,” read the official statement.
While AnyDesk reassured users that the situation was under control, the crucial question lingers: what does this precisely entail? A thorough examination sheds light on the implications and potential repercussions stemming from this cybersecurity incident.
Cyberattack on AnyDesk: Credentials Offered on Dark Web
As a preemptive measure, AnyDesk urged all users to update their passwords, particularly those using identical credentials elsewhere. “As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere,” reads the official statement.
However, the aftermath of the cyberattack has taken a more complex turn, with threat actors identified on the Dark Web selling access to compromised AnyDesk credentials.
Resecurity, the cybersecurity firm, identified multiple threat actors involved in this illicit trade. One such actor, using the alias “Jobaaaaa,” listed over 18,000 AnyDesk customer credentials for sale on the Dark Web forum Exploit[.]in. The threat actor revealed that the compromised data was ideal for technical support scams and phishing activities.
The discussion surrounding the AnyDesk data took an intriguing turn when a threat intelligence platform stated that the data being traded on the dark web did not stem from the recent breach but rather from historical infostealer infections.
This sparked discussions on social media platform X about the timing and motive behind the credential sale, with Hudson Rock proposing that threat actors might be capitalizing on the situation—an assertion supported by Resecurity.
Resecurity further emphasized that, as of February 4, numerous accounts persisted without updated passwords and lacked the additional layer of security provided by two-factor authentication (2FA).
The provided examples from the threat actors to the cybersecurity firm were associated with compromised access credentials for both individual consumers and enterprises, allowing entry into the AnyDesk customer portal. As a security measure, the threat actor obscured some of the passwords. The actor suggested selling 18,317 accounts for $15,000, payable in cryptocurrency. Furthermore, there was a willingness to complete the transaction through escrow on Exploit.
These compromised accounts, posed a potential threat, particularly considering the absence of 2FA on a majority of them.