AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7

Posted on 2024-02-07 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]Following the cyberattack on the provider of remote maintenance software, AnyDesk GmbH, there is a notice that the certificate for binary signing of the clients will be exchanged and the old certificate "will be revoked soon". Users should switch to AnyDesk Client 8.0.8 or higher. The problem is the "Customs Clients" used by OEMs or companies, which are still based on the 7.x development branch. There are problems with the generation of these client versions. And I have a statement from support via a reader that these clients will only be equipped with a new certificate "in a few weeks".

Advertising

Certificate replacement after AnyDesk hack

We have known since February 2, 2024 that the provider of the remote maintenance software AnyDesk was the victim of a hack that also affected the production systems. The provider rules out ransomware, but confirms that attackers intruded in its systems. We don't know when and we don't know what was or is affected. I have included what the provider AnyDesk has disclosed in the article AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1.

It is also known that the provider is replacing the certificate for signing binary files – AnyDesk clients have been signed with a new certificate since version 8.0.8. Whether this is purely a precautionary measure or whether the private keys for signing the programs have really been lost is unknown to the public as far as I know.

Problems with Customs client

There are currently very practical problems with accessing clients signed by the new certificate. In addition to the general AnyDesk client (currently 8.0.8), which customers are supposed to use, there are probably Customs clients that companies use for internal solutions or for external customers. These Customs clients are created via a portal at AnyDesk and, as far as I know, are still largely based on the 7.x development branch.

In the above context, changing certificates means that the AnyDesk customers in question log in to their portal and then have the new "Customs client" generated. I already described this in the article AnyDesk hack undercover – Suspicious cases and more – Part 3. This is probably anything but easy – because there is currently a huge problem there.

  • One German reader reported in an early feedback that he was getting errors in certain scenarios and could not create the new version of the client.
  • Since Monday, February 5, 2024, the AnyDesk servers have (expectedly) been overloaded, so that the download of the AnyDesk client 8.0.8 is/was probably not always possible. In this German comment, a reader writes that he gets Error 500 from the server when downloading the 8.0.8 Custom Client.
  • In this German comment a reader writes that the auto-update of installed custom agents is not supported. However, he managed to generate and download a new custom agent in the AnyDesk Management Portal. He then discovered that this client was still signed with the old certificate.
  • Some German readers have responded to this comment by stating that the Customs Client 8.0.6 is being downloaded with the old certificate – a Custom Client 8.0.8 cannot be created, but an error is reported. Another reader writes that all "Customs Clients 8.0.8" are standard clients.

Information is circulating in the comments (e.g. here) that the latest custom client is 7.0.15 with a new certificate. This comment states, with reference to AnyDesk, that the custom client 7.0.15 has the new certificate – but cannot be generated. I would have interpreted this to mean that the custom client 7.0.15 is currently being planned internally at AnyDesk, but is not yet being made available to any customers.

Advertising

New signed client coming in weeks

In the German comment here, reader kdoteu suggests that the new client "may take another week or two" and that the CustomClients are safe. Blog reader Nicolaas B. sent me an email from AnyDesk support yesterday afternoon, which he received on explicit request via his employer (which I know). Here is the statement from AnyDesk support in the email:

  • According to the current state of knowledge, the configured clients created on my.anydesk are secure.
  • The certificate for our custom clients is expected to be replaced in the next 2-4 weeks.

In other words, there is currently no legal Customs client from AnyDesk that is already signed with the new certificate. But AnyDesk also states that the Customs clients generated by their website are secure. They still say.

  • For the standard clients provided via our website, we recommend updating to the latest version as a precautionary measure.
  • "Man in the middle" attacks can be ruled out according to the current state of knowledge. The attackers could neither hijack sessions nor make unauthorized session requests via the attack.

This is a concrete statement. Furthermore, the email I received states: "Currently we are unfortunately unable to provide IOCs." – which makes sense to me. As long as there are no attacks, nobody can provide an Indicator of Compromise (ICO). AnyDesk support promised in the message: "Should something change here, we will be happy to get back to you."

Final thought: This uncertainty and confusion as well as numerous support requests from customers could (in my view) be avoided if AnyDesk provided transparent information on the website and published the above information there.

Articles:
AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1
AnyDesk hack undercover – more information and thoughts – Part 2
AnyDesk hack undercover – Suspicious cases and more – Part 3
AnyDesk hack undercover – Access data offered for sale – Part 4
AnyDesk hack – A review – Part 5
AnyDesk hack – Review of the German CERT BSI report – Part 6
AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7
AnyDesk hack – more details (FAQ from Feb. 5, 2024) – Part 8
AnyDesk hack already noticed on December 20, 2023? – Part 9
AnyDesk hack confirmed as of December 2023; old certificate recalled – Part 10
AnyDesk hack: Revoke chaos with old certificates? – Part 11
AnyDesk hack: Newly signed clients available; what are your experiences? – Part 12

Similar article:
Störung bei AnyDesk, jemand betroffen?
AnyDesk: Be careful in using that remote support software

Advertising
This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).