Cybersecurity researchers have identified multiple threat actors on a Russian language dark web forum actively selling AnyDesk accounts, ranging from 18,000 to 30,000 accounts.
On February 2, 2024, AnyDesk, a popular remote desktop application, disclosed a security breach incident involving unauthorized access to its production systems by unknown hackers.
Now, in its latest blog post published on Sunday, February 4, 2024, cybersecurity researchers at Resecurity disclosed alarming findings: multiple threat actors are selling compromised AnyDesk login credentials on both the clear web and the dark web.
It’s crucial to note that the sale of AnyDesk credentials on the dark web is separate from the recent security breach. According to Resecurity, the stolen login credentials being sold are a result of infostealing malware infecting PCs to harvest sensitive information.
This parallels a similar incident in June 2023, where hackers were found selling 100,000 ChatGPT login accounts. These accounts were obtained through devices infected with Raccoon, Vidar, and Redline malware worldwide.
According to Resecurity’s blog post, researchers have identified a threat actor operating under the alias “Jobaaaaa,” who has been observed selling 18,317 compromised AnyDesk accounts. These accounts are being offered for sale for $15,000 worth of Bitcoin (BTC) or Monero (XMR) cryptocurrency, with transactions facilitated through escrow services.
However, Alon Gal of Hudson Rock has countered Resecurity’s findings, stating that the threat actor is actually selling over 30,000 AnyDesk accounts. Despite this difference, the use of Escrow—a trusted third-party payment service—by the hacker adds a level of credibility to the offer.
These compromised AnyDesk accounts are being marketed on Exploitin, a cybercrime and hacker forum accessible on both the clear and dark web and primarily operating in Russian. This forum has gained notoriety for facilitating various cybercrimes, including exploiting vulnerabilities, selling databases, and leaking sensitive information.
Interestingly, it’s the same platform where administrators of the Genesis cybercrime market acknowledged the seizure of their clear web domain in April 2023.
Timestamp Disaster
Resecurity’s latest revelation centers on the timestamps related to the sale of compromised accounts. The timestamps visible on the shared screenshots illustrate instances of successful unauthorized access on February 3, 2024, after the disclosure of the security incident.
Furthermore, researchers have verified that the compromised accounts include those of both individual users and enterprises. This highlights the potential for a significant disaster for organizations and unsuspecting users if these accounts fall into the wrong hands. As a precautionary measure, it is crucial for all AnyDesk users, irrespective of their location, to promptly change their passwords.
The potential impact
The potential impact, whether on an individual or enterprise, would be devastating. Here’s what could happen if a functioning AnyDesk account for either an individual or an enterprise falls into the hands of a malicious threat actor:
For Individual
- Financial Loss: Hackers could use stolen credentials to make fraudulent transactions, steal money from linked accounts, or commit financial extortion.
- Data Theft: Personal data like documents, photos, and browsing history could be stolen and sold or used for identity theft.
- Identity Theft: Hackers could impersonate the individual online or over the phone to steal their identity or commit other crimes.
- Reputational Damage: Stolen accounts could be used to spread misinformation or engage in other harmful activities, damaging the individual’s reputation.
- Operational Disruption: Individuals might lose access to important accounts or data if hackers change passwords or lock them out.
For enterprises:
- Financial Losses: Businesses could suffer financial losses due to fraud, data breaches, and ransomware attacks.
- Data Theft: Sensitive business data, trade secrets, and customer information could be stolen and sold or used for competitive advantage.
- Employee Impersonation: Hackers could impersonate employees to gain access to sensitive systems or data.
- Reputational Damage: Data breaches and other security incidents can damage a company’s brand image and customer trust.
- Operational Disruption: Stolen credentials could be used to disrupt business operations, causing productivity loss and downtime.
- Ransomware Attacks: Hackers could encrypt data and demand a ransom payment to decrypt it.
What Should Victims Do?
Here are some steps that individuals and enterprises can take to protect themselves:
- Change passwords immediately: If you think your AnyDesk credentials might be compromised, change your password immediately and enable two-factor authentication if available.
- Be cautious of phishing emails: Don’t click on links or open attachments in suspicious emails, even if they appear to be from AnyDesk.
- Report suspicious activity: If you see any suspicious activity on your AnyDesk account, report it to AnyDesk immediately.
- Use strong passwords: Use strong, unique passwords for all your online accounts, and avoid using the same password for multiple accounts.
- Enable two-factor authentication: Two-factor authentication adds an extra layer of security by requiring a second factor, such as a code from your phone, to log in.
- Stay informed: Keep yourself informed about the latest security threats and best practices.
Nevertheless, regardless of your location or whether you recently changed your AnyDesk account password, it’s critical to change the password once again immediately. The timestamps of login sessions from these accounts authenticate their legitimacy.
RELATED NEWS
- New Windows Infostealer ‘ExelaStealer’ Sold on Dark Web
- Thousands of Dark Web Posts Expose ChatGPT Abuse Plans
- 360m WhatsApp Records Shared on Telegram and Dark Web
- Cloudflare Hacked After State Actors Leverages Okta Breach
- TeamViewer Used to Obtain Remote Access, Deploy Ransomware