AnyDesk hack undercover – more information and thoughts – Part 2

Sicherheit (Pexels, allgemeine Nutzung)[German]In my blog post AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1 I compiled the information officially published by AnyDesk and a brief history. However, I've been working on this topic for a few days now and in the meantime I've received a few tidbits of information that have led to further insights, questions and speculation. Below is a compilation of these points.


Advertising

Disclosure policy of the German CERT (BSI)

First of all, I need to mention, that German CERT authority (BSI) has issued a warning in advance (Jan. 29, 2024) to a limited group of people in the critical infrastructure sector. While it's good, to have to have a warning in advance, it's odd, that this warning just made it to a selected circle of people. And it was even more odd, that this warning has been classified with TLP (Traffic Light Protocol) AMBER+STRICT. This means, that the recipient may share AMBER information with others within their organization and their clients, but only on a 'need-to-know' basis. Nobody of my source could share the details with me, and many wasn't even able to view the warning at all. Till now I don't have access to the warning. Overall I would quote this decision as "silly" – security by obscurity – but maybe they have had good reasons for that.

Timeline of the cyberattack

Browsing the incidence report, I notice that it doesn't contain any information (dates) about when what happened. Since I've been researching the topic for a few days now, I'll try to write down a few dates – it's all speculative, but it may help AnyDesk users to research the logs.

  • February 02, 2024: Late Friday evening (I received the promised information from AnyDesk at 10:44 p.m. by email), the official incidence report went public.
  • February 01, 2024: I asked within my German blog post AnyDesk und die Störungen: Es ist womöglich was im Busch about a hack because I had information about a problem for days.
  • January 30, 2024: The AnyDesk infrastructure and services went into maintenance mode for many hours, where everything was shut down.
  • January 29, 2024: According to my information, the confidential notification was sent to various KRITIS bodies on this date (confirmation also here). AnyDesk client version 8.0.8 was also released on this date, the changelog of which contains the information that the certificate for digital signing has been replaced.
  • January 27, 2024: The new certificate to digitally sign the AnyDesk clients has been created (see this article from Bleeping Computer).

By January 29, 2024 (or January 27) at the latest, it can be assumed that AnyDesk already knew that there was a very big problem. But the story goes on, or rather: Let's go back a few more days.

AnyDesk-Status

  • January 25, 2024: In the German blog post Störung bei AnyDesk, jemand betroffen? I asked whether users had noticed any malfunctions. The reader who contacted me complained about functional impairments and license issues since January 20.
  • January 22, 2024: The above screenshot shows the AnyDesk status, where we have had a complete outage of the customer portals, similar occurred on the next days. Maybe the tried to fix something or the attack went downhill – room for speculation.
  • January 16, 2024: AnyDesk client 8.0.7 for Windows was released on this date. The changelog can be found in the Internet Archive and does not yet say anything about certificate changes. I interpret it in a way, that an attack still was unknown by AnyDesk.
  • January 4, 2024: I have a log from an AnyDesk user who observed unauthorized access to his AnyDesk instance (permanently open, but password-protected). A second incident occurred on December 30, 2023, as the reader informed me. I will deal with this topic separately in part 3, but would quote it now "as a incorrectly entered ID".

I'll mark this as speculation, but it seems that the access to AnyDesk's production systems must have happened during this period outlined above or even earlier. AnyDesk can solve that mystery, because they claim, they have done a forensic investigation together with Crowdstrike – but till now no words about that.


Advertising

Rumor: Private keys and source code extracted

According to my information – and Lawrence Abrams from Bleeping Computer, with whom I am in frequent contact, including last night, has the same information (see) – the attackers have extracted keys or certificates that are used to sign binary data, as well as source code.

The certificate story is plausible insofar as the client v8.0.8 received a new digital signature on 29.1.2024. No one has yet denied that this data was leaked. Should be kept in mind.

At this point I would like to add one more thought. In the blog post Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack – Part 1 I mentioned that Microsoft was heavily criticized for the fact that the private key extracted during the hack was not stored on a HSM (Hardware Security Module), but on a server. The same also applies to AnyDesk, of course. If this had been the case, the theft of the private key for code signing from a HSM would not have been possible in my opinion.

Updating the client will fix everything?

Now AnyDesk has written in its announcement that it has provided the clients with a new digital signature and is asking customers to switch to client 8.0.8. In all likelihood, some customers will continue to use the old client versions. I don't know if AnyDesk can cut them off from connections and protect them that way.

One user pointed out to me that the AnyDesk client is included in many application packages and is rolled out to customers for remote maintenance. This source said that the client has been in use there since version 7.x. I have not followed it, but I suspect that there is also a newly signed client 7.x there. But many software packages that contain AnyDesk as a client would now have to be updated. That doesn't bode well for me.

I remember my old post Festes SA SQL-Passwort bei windata 9-Banking-Software, where I discovered a security vulnerability in the banking software mentioned. TeamViewer was used there and I asked the developer why old TeamViewer clients were being distributed. The answer was that it had to be kept that way at the request of the banks that distribute the product to customers.

Dennis points out in this comment that this is also an issue for the healthcare sector. Some health care products (in Germany) relies almost exclusively on Anydesk – albeit with its own servers away from the public AnyDesk servers. I'm curious to see if we hear anything from that corner. Not sure, how this affects other countries.

It was asked whether self hosted on-premises solutions were also affected. There is a statement from "hear say", which I cannot verify, from an AnyDesk supporter, allegedly made during this week at a customer site, that on-premises hosted solutions were not affected, only the "cloud solutions" – i.e. probably everything that handles access via AnyDesk gateways. However, I would personally take this statement with a grain of salt, as infected clients don't care about such things.

First suspected cases: Is there something looming?

Now we come to the even more unpleasant part of the story. Since I've been asking around, I've been receiving more and more information and questions. I have now received two reports of an increase in scam calls over the last few days. One was reported from the CISO of a large public organization in Austria.

During the night, I was made aware of the entry How did AnyDesk get on my phone and is it compromised now? at reddit.com. A user of an Android smartphone woke up to find that an app called AnyDesk had been installed on his device. He asks how the hell the app could have gotten onto the phone, he is very sure he didn't have it installed. The case is "shaky" because the AnyDesk client could have gotten onto the device via another app. But just keep it in mind.

In part 3 I will cover an observation that "somebody" is probably already experimenting with "AnyDesk" malware (there are probably samples, but they are detected by virus scanners). And I would like to take up two "more" suspicious cases that are related to the hack above. Both cases seems at least harmless, but currently we can't take enough care.

Articles:
AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1
AnyDesk hack undercover – more information and thoughts – Part 2
AnyDesk hack undercover – Suspicious cases and more – Part 3
AnyDesk hack undercover – Access data offered for sale – Part 4
AnyDesk hack – A review – Part 5
AnyDesk hack – Review of the German CERT BSI report – Part 6
AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7
AnyDesk hack – more details (FAQ from Feb. 5, 2024) – Part 8
AnyDesk hack already noticed on December 20, 2023? – Part 9
AnyDesk hack confirmed as of December 2023; old certificate recalled – Part 10
AnyDesk hack: Revoke chaos with old certificates? – Part 11
AnyDesk hack: Newly signed clients available; what are your experiences? – Part 12

Similar article:
Störung bei AnyDesk, jemand betroffen?
AnyDesk: Be careful in using that remote support software


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *