AnyDesk Breach Incident

What is AnyDesk

AnyDesk is a Remote Monitoring and Management (RMM) tool commonly and frequently used in IT Infrastructure Management. RMM tools like AnyDesk allow organizations to efficiently oversee and control their IT systems. Essentially, an RMM solution acts as a centralized hub, enabling IT professionals to remotely monitor and manage various aspects of a networked environment. But like many RMM Software, it can act as a double-edged sword, allowing attackers to gain access to your endpoints.

AnyDesk Code Cyberattack and Code Signing Certificate Attack

Like many other RMM tools, AnyDesk has fallen victim to a cyberattack. The company acknowledged the breach after detecting unusual activity during a security audit. While AnyDesk did not disclose specifics regarding potential data theft during the attack or what caused an initial foothold onto their systems, it was reported that threat actors successfully stole source code and code signing certificates.

As part of their comprehensive response, AnyDesk revoked security-related certificates, remediated or replaced affected systems, and assured users that the platform remains secure. They emphasized that there is no evidence of end-user devices being impacted by the incident.  Additionally, an examination of earlier software versions revealed notable changes in the code signing certificates. The compromised versions were identified with the following signature 'philandro Software GmbH' and the serial number “0dbf152deaf0b981a8a938d53f769db8”. The new version is signed under 'AnyDesk Software GmbH' with a different serial number, specifically “0a8177fcd8936a91b5e0eddf995b0ba5”.

‍

Mitigation

AnyDesk has urged their users to take the following actions in efforts to mitigate the potential consequences of this attack:

1. Password Update: AnyDesk recommends users change their account passwords as a proactive step to reduce the risk of unauthorized access in case of potential user data theft.

2. Software Upgrade: Users are encouraged to download and install the latest version of AnyDesk. This update includes the most recent code signing certificate.

‍

ThreatLocker Ops

ThreatLocker has Added a ThreatLocker Ops Policy to the Community to check the use of revoked certificates. If you are using ThreatLocker Ops, you can add the Policy TL.AAL.003 from the Community Page.

‍

ThreatLocker Application Allowlisting

ThreatLocker Application Allowlisting blocks all untrusted software by default. So, if you do not have a policy for AnyDesk and your computers are in secured mode, you need to take no further action. If your computers are not in secured mode, we recommend securing your computers as soon as possible.

If you are using ThreatLocker Application Allowlisting Module, Built-in Policies for AnyDesk do not contain any certificate only rules. Therefore, even if an attacker uses the compromised certificate, it shouldn't be able to run.

If you are using your own custom rules in your environment, they may contain certificate only policies. Where ThreatLocker has created certificate-based rules for custom application definitions, they will always combine the certificate and path, so files will not be permitted solely on certificate.

In the case you have created your own custom rule for the PHILANDRO SOFTWARE GMBH policy, ThreatLocker has created a policy in Community to block the revoked certificate (TL.AAL.004). This should be added above all other policies.

‍