SOCRadar® Cyber Intelligence Inc. | AnyDesk Production Server Breach and Dark Web Sale of 18,000 Accounts
Home

Resources

Blog
Feb 05, 2024
4 Mins Read

AnyDesk Production Server Breach and Dark Web Sale of 18,000 Accounts

AnyDesk, a prominent remote desktop software provider, reported a security breach affecting its production systems on February 2, 2024.

Speculation about the incident had already begun circulating on social media before the announcement. On January 30, 2024, AnyDesk tweeted about undergoing maintenance, which indicates potential issues preceding the official disclosure.

AnyDesk’s announcement for the maintenance (X)

AnyDesk’s announcement for the maintenance (X)

The breach, detected during a security audit, prompted immediate action by cybersecurity specialists, who implemented a comprehensive remediation plan. Although the exact timing of the breach remains unclear, AnyDesk’s maintenance tweet on January 30 suggests that the incident occurred earlier.

While not involving ransomware, the breach necessitated the revocation and replacement of security certificates, including a forthcoming revocation of the previous code signing certificate for AnyDesk binaries. This action was taken because, reportedly, threat actors may have accessed source code and the code signing certificates.

AnyDesk has emphasized that no private keys, security tokens, or passwords were stored in a manner that would compromise end-user devices.

Does the Latest AnyDesk Security Breach Signal a Supply Chain Issue?

The integrity of remote desktop solutions like AnyDesk is critical, particularly when serving large numbers of enterprise clients. The breach at AnyDesk carries significant implications due to the potential access it could provide to threat actors across numerous end-user devices worldwide.

Although there are no indications of a supply chain incident based on available information, the breach raises concerns about the potential for a significant supply chain issue given AnyDesk’s prominence.

To safeguard your organization against supply chain issues, leverage SOCRadar’s Supply Chain Intelligence module. With the module, you can monitor the latest breaches, add vendors to a WatchList for a specialized incident feed, and stay informed about upcoming incidents for timely mitigation.

SOCRadar’s Supply Chain Intelligence

SOCRadar’s Supply Chain Intelligence

Alarming Sale of Over 18,000 AnyDesk Accounts

A threat actor is selling over 18,000 AnyDesk accounts on a hacking forum. The sale post indicates that the data includes both corporate and personal contact information, email addresses, and license keys providing access to the AnyDesk customer portal.

Threat actor’s sale post for AnyDesk accounts (X)

Threat actor’s sale post for AnyDesk accounts (X)

If threat actors acquire this information, they may gain unauthorized access to systems, compromise sensitive data, and potentially lead to financial or reputational losses.

While it is uncertain if this leak is linked to the recent production server breach at AnyDesk, it adds to the threats faced by the company and its customers, emphasizing the need for vigilance.

You can utilize SOCRadar’s Dark Web News to monitor such incidents, leak posts, or data sales on the Dark Web and stay proactive to counter potential threats targeting your organization.

SOCRadar Dark Web News

SOCRadar Dark Web News

Recommendations to Safeguard Your AnyDesk Application

On January 29, AnyDesk issued a new version of its Windows application featuring a new code signing certificate. Whether other versions of AnyDesk will receive updates soon remains uncertain. The company assures users that the integrity of end-user devices remains uncompromised and encourages users to download the latest software version.

As a precautionary measure, passwords to the AnyDesk web portal have been revoked, and the vendor advises users to change passwords reused on other platforms.

For further details, refer to AnyDesk’s public statement.