Attackers are impersonating the Computer Emergency Response Team of Ukraine (CERT-UA) via AnyDesk to gain access to target computers.
The request (Source: CERT-UA)
“Unidentified individuals are sending connection requests via AnyDesk under the pretext of conducting a ‘security audit to verify the level of protection,’ using the name ‘CERT.UA,’ the CERT-UA logo, and the AnyDesk ID “1518341498” (which may vary),” CERT-UA explained on Friday.
The requests are apparently unarranged and the attackers are counting on the individuals working on those computers to accept them without question: “It is evident that attackers are once again resorting to social engineering methods based on trust and the use of authority.”
To send a connection request, the attacker must know the target’s AnyDesk ID and the remote access software must be operational on their device.
They believe that the attackers might have gotten a hold on targets’ AnyDesk ID after compromising other computers where such remote access was previously authorized.
Attackers using remote access tools
AnyDesk and other remote access tools are often leveraged by a variety of attackers to gain access to target computers.
The national CERT of Ukraine has been using various remote access tools to help users fend off, detect and mitigate cyber incidents. But, the team notes, such interventions are previously agreed upon through pre-approved communication channels.
A connection requests out of the blue should, therefore, raise potential targets’ suspicions.
The team did not whether the targets were government workers, company employees, or private individuals, but has urged anyone getting such a connection request to report it to relevant cyber protection units or CERT-UA.