AnyDesk, a remote desktop software maker, experienced a cyber attack that compromised its production systems. The German company, not identifying it as a ransomware attack, detected the incident during a security audit and promptly notified relevant authorities. To address the breach, AnyDesk revoked all security-related certificates, replaced or remediated affected systems, and initiated the replacement of its code signing certificate. The company urged users to change their portal passwords and download the latest software version, emphasizing that there’s no evidence of affected end-user systems.
The cyber attack, discovered following a security audit, prompted AnyDesk to revoke all security-related certificates and remediate or replace affected systems. While not confirming when or how the breach occurred, AnyDesk assured users that no evidence suggests the compromise of end-user systems. In response to the incident, the company revoked all portal passwords and advised users to change passwords reused on other services. Additionally, AnyDesk is replacing its code signing certificate and recommends users download the latest software version.
Earlier, AnyDesk faced maintenance issues since January 29, which were addressed on February 1, and intermittent timeouts and service degradation were reported on January 24. AnyDesk has over 170,000 customers, including major companies like LG Electronics, Samsung Electronics, and Thales. Following the breach, cybersecurity firm Resecurity identified threat actors advertising AnyDesk customer credentials for sale, potentially leading to technical support scams and phishing. Notably, timestamps on shared screenshots suggest unauthorized access as of February 3, 2024, post-incident disclosure.
The breach aftermath reveals potential cybercriminal attempts to monetize available customer credentials, with the threat actor “Jobaaaaa” offering 18,317 accounts for $15,000 in cryptocurrency. Resecurity discovered the offer on Exploit[.]in, and while the origin of the credentials remains unclear, it highlights the urgency for affected parties to reset their access credentials. The incident further underlines the persistent threat of cyber attacks targeting both service providers and their user base.
