AnyDesk hack undercover – Access data offered for sale – Part 4

Sicherheit (Pexels, allgemeine Nutzung)[German]With regard to the AnyDesk hack, I am currently being constantly overtaken by reality. The credentials of AnyDesk customer accounts are already being offered for sale in the internet. Here is the new development, I would like to take this opportunity to thank the reader for pointing this out. Addendum: The data set is from an old breach.


Advertising

Recommendation to change password

In the AnyDesk cyber incident, hackers penetrated the provider's production systems. In the article AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1, I also reflected the provider's recommendation to change passwords. Quote from my article, which is based on information from the AnyDesk Incidence Report:

"As a precautionary measure, we have revoked all passwords for our web portal my.anydesk.com and recommend that users change their passwords if they use the same login details elsewhere."

I had already given this advice here in the blog and advised users to stop using the remote maintenance software for the time being. Here is the excerpt from the AnyDesk report again:

AnyDesk-Meldung über Cybervorfall

In AnyDesk hack undercover – Suspicious cases and more – Part 3 I also mentioned that not all AnyDesk customers are prompted to change their password when accessing the AnyDesk web portal. And many customers simply didn't realize that there was a cyber incident, I just looked on the AnyDesk site, nothing to see of a warning.

User credentials offered in hacker forum

Reader Nicolas informed me a few minutes ago in a personal message on X (thanks for that) that he had found the information that the AnyDesk account credentials were being offered for sale. The blog post Following The AnyDesk Incident: Following The AnyDesk Incident: Customer Credentials Leaked And Published For Sale On The Dark Web.


Advertising

On February 3, 2024, security researchers at resecurity.com identified at least two threat actors offering data from the hack on the Darknet. One of these individuals with the alias "Jobaaaaa" registered on the Exploit[.]in forum in 2021. This person offers a considerable amount of login data for AnyDesk customer accounts for sale.

AnyDesk-Anmeldedaten im Verkauf

The samples provided by the actors referred to compromised credentials of various end and enterprise customers, and allowed access to the AnyDesk customer portal. As a security measure, the actor sanitized some of the passwords. The actor offered 18,317 account records for $15,000 to be paid in cryptocurrency.

The perpetrator also agreed to make a deal through an escrow account on a reputable underground forum. Resecurity has contacted most of the contacts identified as potential victims and confirmed that they have used AnyDesk products in the past or recently. The actor did not disclose any further information.

Cyber threat analysts from the Resecurity HUNTER team were able to contact the actor to learn more about this activity. The actor emphasized: "This data is ideal for technical support fraud and mailing (phishing)". Resecurity has collected the available information to share with the public. The aim is to raise awareness of cybercrime and facilitate risk mitigation measures.

Remark: Currently I don't know, if the data are from the AnyDesk hack, or collected from compromised user systems or derived from other sources and compiled for the sale – the opportunity is favorable.

Addendum: The data are from an old breach – see this reddit.com post –  thanks to Frank for the link.

Articles:
AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1
AnyDesk hack undercover – more information and thoughts – Part 2
AnyDesk hack undercover – Suspicious cases and more – Part 3
AnyDesk hack undercover – Access data offered for sale – Part 4
AnyDesk hack – A review – Part 5
AnyDesk hack – Review of the German CERT BSI report – Part 6
AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7
AnyDesk hack – more details (FAQ from Feb. 5, 2024) – Part 8
AnyDesk hack already noticed on December 20, 2023? – Part 9
AnyDesk hack confirmed as of December 2023; old certificate recalled – Part 10
AnyDesk hack: Revoke chaos with old certificates? – Part 11
AnyDesk hack: Newly signed clients available; what are your experiences? – Part 12

Similar article:
Störung bei AnyDesk, jemand betroffen?
AnyDesk: Be careful in using that remote support software


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *