[German]My fears have been confirmed. The days-long "maintenance" of the AnyDesk websites is the result of a cyber attack. AnyDesk's production systems have been hacked. All AnyDesk software must be considered compromised. After the German CERT (BSI) sent out a confidential warning to users of critical infrastructures, I have received finally the incident report from AnyDesk. Below I have put together all the information I now have in one article.
Advertising
The history of this story
On January 25, 2024, a reader contacted me and complained about constant "malfunctions" with the AnyDesk remote maintenance software. The reader was no longer able to establish a connection from January 20, 2024. In addition, license keys were suddenly no longer accepted. AnyDesk support only stated that there were "currently problems with the server connections". Below is a screenshot of a Statement (in German) from the AnyDesk support.
I've covered the case in my German blog post Störung bei AnyDesk, jemand betroffen?, but I wrote not an English version, because I received feedback from my blog readership, that they didn't noticed something. However, the reader mentioned above told me about issues still occuring, and as of January 30, 2024, AnyDesk's website was suddenly in maintenance mode and no longer accessible.
Who or what is AnyDesk?
AnyDesk is a provider that offers remote maintenance software under the same name. The product was developed by former TeamViewer employees and was long regarded as an alternative to this product. AnyDesk is used by many companies, with the provider claiming a total of 170,000 customers. Names such as 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS and the United Nations are also mentioned. AnyDesk is also integrated into some products.
First indications of a hack
Due to a cryptic hint from an anonymous source that AnyDesk should no longer be used in critical environments, I wrote the German blog post AnyDesk und die Störungen: Es ist womöglich was im Busch on February 1, 2024, where I raised the question of a hack.
Advertising
Later I added the English blog post AnyDesk: Be careful in using that remote support software. Over the last two days, I several "information fragments" from various sources have trickled in to tell me that there is something suspicious.
And it turned out that AnyDesk had replaced the certificates used for the digital signing of AnyDesk client version 8.0.8 on January 29, 2024, according to the changelog.
A confidential German CERT (BSI) warning
What I also found out was that the Federal Office for Information Security (BSI) had sent out a warning to the circle of operators of critical infrastructures this week, but had given it a TLP classification so that only a very small group of people were allowed to view it and not share it under any circumstances. Information on the TLP classification can be found here. According to my information, the document was classified as TLP:AMBER+STRICT – I still don't know the content – but I knew that there had been a hack in which keys had been leaked.
AnyDesk confirms successful cyber attack
In an "incident report" promised by AnyDesk and sent by e-mail a few hours ago, my suspicion that there had been a cyber attack is confirmed. The short incident report is available here. AnyDesk confirms that a security check was carried out following indications of an incident in some of its own systems. This revealed evidence of compromised production systems.
Incident at the end of January 2024?
The incidence report does not contain any dates, but according to my information, this review was probably initiated on January 29 or 30, 2024, which corresponds to the start of the maintenance phase on January 30, 2024. AnyDesk states that it immediately activated a remediation and response plan involving CrowdStrike's cybersecurity experts.
Maintenance completed, authorities informed
The report also states that the remediation plan has been successfully completed. The relevant authorities have been notified and the company is working closely with the authorities. The company denies that this incident is a ransomware infection. This must have led to the above-mentioned BSI warning with the "TLP:AMBER+STRICT" block, which underlines the explosive nature of the incident.
Certificates and passwords revoked
AnyDesk then revoked all security-relevant certificates and the systems were repaired or replaced where necessary, the report continues. This explains the days-long maintenance mode of the systems. The previous code signing certificate for AnyDesk binaries is now to be revoked shortly, and AnyDesk has already started to replace it with a new one, the provider writes.
This confirms the observation that the AnyDesk client version 8.0.8 from January 29, 2024 was signed with a new certificate. The colleagues from Bleeping Computer, with whom I was still in contact yesterday, have named the old and new certificate used in this article.
User passwords should be changed
In the incidence report, AnyDesk writes "As a precautionary measure, we have revoked all passwords for our web portal my.anydesk.com and recommend that users change their passwords if they use the same login details elsewhere." I had already given this advice yesterday here in the blog and advised users to stop using the remote maintenance software for the time being.
No evidence of exploitation?
AnyDesk writes about this incident that there are no indications to date that end devices have been affected. They can confirm that the situation is under control and that AnyDesk can be used safely. Users should ensure that they are using the latest version with the new code signing certificate. The integrity and trust in our products is of utmost importance to the provider and we are taking this situation very seriously.
AnyDesk concludes that the systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end-user devices.
Final words
That's the conclusion of AnyDesk's statement, which I received by email at around 10:44 p.m. on February 2, 2024 – they had been working on them all day, as I had already been promised a meeting with their CEO that morning. When I phoned the German CERT BSI press officer on the morning of February 2, 2024, he didn't even want to confirm when the information would be made public. In Part 2, I would like to present some of the information I have received from various sources and put the whole thing into context.
Articles:
AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1
AnyDesk hack undercover – more information and thoughts – Part 2
AnyDesk hack undercover – Suspicious cases and more – Part 3
AnyDesk hack undercover – Access data offered for sale – Part 4
AnyDesk hack – A review – Part 5
AnyDesk hack – Review of the German CERT BSI report – Part 6
AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7
AnyDesk hack – more details (FAQ from Feb. 5, 2024) – Part 8
AnyDesk hack already noticed on December 20, 2023? – Part 9
AnyDesk hack confirmed as of December 2023; old certificate recalled – Part 10
AnyDesk hack: Revoke chaos with old certificates? – Part 11
AnyDesk hack: Newly signed clients available; what are your experiences? – Part 12
Similar article:
Störung bei AnyDesk, jemand betroffen?
AnyDesk: Be careful in using that remote support software
Advertising
Dear Gunter Born.
I used Anydesk once only- when requested to do so by an ESET technician on 16 January. The next day, I started receiving notifications of attempts to access my online accounts. on 19 January my hosting service shut down my website because it was sending spam emails. I could only see the bounce backs (over 26000). My email associated with the website no longer functions properly. That could be an issue with Thunderbird, but it is strange that several strange glitches- even in Canva- have occurred in the past month.
Up until this week, I have still received notifications of attempted logins to my accounts. Along the way I deleted the Anydesk app as I tried to eliminate possible issues- not knowing about the breach until 16 February. I was upset to read Anydesk's statements on their website sweeping the issue aside- and wrote to them asking about compensation.
They only asked for my Anydesk ID. I am considering legal action but small fries on their own get squished and wondered if there might be a class action lawsuit being filed against Anydesk. I can't be the only person affected (to the point of illness).
I guess, the Eset technican was a scammer
I doubt it. ESET is an anti-virus business. I wrote to ESET about my problem and they informed me about the Anydesk breach.