AnyDesk compromise calls certificates into question

Like your autographed napkin from that Elvis impersonator, some signatures are less valuable than others.

On Feb. 2, remote desktop application AnyDesk reported a compromise of its production environment and said it revoked “all security-related certificates.”

The potential packaging of malicious code with false authenticity badges means security operation center (SOC) analysts must be watchful, one industry pro said.

“That means that that payload may look a little more legitimate to a cyberdefense product than it would otherwise,” Matt Kiely, a principal researcher at cybersecurity company Huntress, told IT Brew.

“Now, what that also means is that the serial number and the specifics of that potentially stolen cert are well understood,” Kiely added. “And so threat hunters and SOC analysts should zero in on those details.”

What happened? On Friday, Feb. 2, AnyDesk noted its immediate remediation actions following discovery of a production-environment hit, citing activation of its response plan with the cybersecurity vendor CrowdStrike; a precautionary pulling of passwords to its portal; and notification to authorities of the event, which, according to AnyDesk, is not related to ransomware.

“We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one,” the company’s Friday post read.

AnyDesk added to its statement this week, saying it had no evidence of end-user compromise or exfiltration of customer data. The company also recommended customers use the latest 7.0.15 and 8.0.8 product versions.

The risks: IT professionals use AnyDesk to remotely connect to and troubleshoot technical issues with client devices. On its site, the company claims more than 170,000 customers.

“That’s the real risk here is this appears to be a supply-chain type of attack, of using AnyDesk as a means to get into other companies,” Mark Manglicmot, SVP of security services at Arctic Wolf, told IT Brew.

In January, the Cybersecurity and Infrastructure Security Agency (CISA) warned network pros of the malicious use of legitimate remote monitoring and management (RMM) tools like AnyDesk.

“Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions,” the cybersecurity agency said in an advisory last year.

What to do: Manglicmot recommends IT pros look back at security logs for signs of nefarious activity, like unexpected logins, exfiltration of data, or new admin accounts.

Kiely, whose team recently examined malicious use of remote desktop product TeamViewer, noted the distinction between attackers using RMM tools to further attack campaigns and the compromise of AnyDesk, which publishes remote-access software.

The most salient risk, according to Kiely: the potential compromise of AnyDesk’s code-signing certificate, which a threat actor could use to make malicious payloads look legitimate.

“If we inspect any payloads that appear to be malicious, and they’re not AnyDesk, that’s a very good indicator that that’s a malicious binary that’s trying to use the AnyDesk signature,” Kiely said.