Since working from home was normalised, remote working and productivity tooling has been heavily targeted by threat actors looking to exploit, and use for nefarious means. AnyDesk for example is really commonly used by threat actors to maintain persistence on a network without the need to utilise ‘untrusted’ (malware) tools to keep a foothold. Part of the reason why it is so commonly used by threat actors is because it is so commonly used in a legitimate manner – if you want to hide a tree, use a forest.
AnyDesk’s ubiquity is part of the reason this story is so concerning. If one were to attempt to rank compromises in terms of severity and impact, the theft of all security keys and all source code would come very close to the top of the list. If TLS certificates / Private keys are stolen (and this has not been confirmed expressly) existing AnyDesk sessions can be considered at risk and can even be used to improperly ‘validate’ malicious software masquerading as AnyDesk. Source code is valuable to threat actors as, among other things, it gives them the opportunity to discover vulnerabilities that renders the service exploitable. This is harder for the threat actor to achieve, but it is also harder for AnyDesk to mitigate against – certificates can (and have) been quickly revoked, for example. Some security researchers have called for a temporary cessation of the use of AnyDesk – probably something that cannot realistically be heeded by most businesses who need to continue operating, but a stark reminder of the severity of the breach nonetheless.
Coincidentally this weekend, a threat actor on the deep and dark web advertised a large, unverified, AnyDesk username/credential data set for sale. While there is no indication these events are not connected, organisations should still consider resetting credentials out of an abundance of caution, enable MFA and ensure that AnyDesk guidance is followed and systems are updated as soon as possible.