AnyDesk, a prominent developer of remote desktop software, has publicly acknowledged a cyber incident that resulted in the compromise of its production systems. The attack was identified during a routine security audit, and the company clarified that it does not involve ransomware.
Based in Germany, AnyDesk has alerted the appropriate authorities regarding this breach. In a statement, the company disclosed that it has taken immediate actions, including revoking all security certificates and remediating systems as necessary. AnyDesk also plans to replace its existing code signing certificate shortly, highlighting their commitment to ensuring the security of their software.
As a precautionary measure, the company has deactivated all passwords associated with its web portal, my.anydesk[.]com. This move is part of an effort to promote user security, urging customers to update their passwords—especially if they have been reused across other online services. The company is also advising users to download the latest software versions, which include an updated code signing certificate for enhanced security.
At this time, details about the specifics of the breach, including when it occurred and whether any sensitive information was extracted, have not been fully disclosed. However, AnyDesk emphasized that there is no evidence of an impact on end-user systems. These findings follow reports from cybersecurity experts that suggest customer credentials related to AnyDesk may have been made available for sale on underground forums.
Prior to this incident, Günter Born of BornCity noted that AnyDesk had been facing maintenance challenges since January 29. Service interruptions were acknowledged as early as January 24, when users experienced intermittent timeouts and degradation in the functionality of the Customer Portal. Such issues could be indicative of broader systemic vulnerabilities or exposure due to the ongoing attack.
AnyDesk’s global customer base surpasses 170,000, including companies like Amedes, AutoForm Engineering, LG Electronics, and Samsung Electronics. The implications of this cyber event are significant, especially in light of recent breaches reported by other firms, such as Cloudflare, which recently revealed unauthorized access by suspected state-sponsored attackers.
In a concerning update, the cybersecurity firm Resecurity revealed that an actor using the alias “Jobaaaaa” has been marketing a substantial number of AnyDesk user credentials for illicit purposes, including scams and phishing attacks. The credentials reportedly amount to over 18,000 accounts offered for the price of $15,000 in cryptocurrency. This revelation aligns with the timeline of the reported cyber attack, indicating that opportunistic criminals may be seeking to exploit the situation.
AnyDesk stated that all versions of its software obtained from official sources remain secure for use, emphasizing that the breach does not correlate to any malicious modifications or distributions of their source code. The company clarified that any leaked credentials appear to stem from outdated data, potentially linked to malware on user devices, rather than directly implicating the AnyDesk incident itself.
In terms of cybersecurity tactics, the incident may align with various MITRE ATT&CK framework techniques, particularly concerning initial access and persistence. Potential vectors could include phishing exploits or the exploitation of existing vulnerabilities within the company’s systems that allowed for unauthorized access. As the investigation continues, the focus remains on restoring confidence and safeguarding the integrity of AnyDesk’s services.
