AnyDesk hack: Revoke chaos with old certificates? – Part 11

Sicherheit (Pexels, allgemeine Nutzung)[German]Now that it is clear that the provider of remote maintenance software, AnyDesk, was the victim of a hack of its production environment in December 2023, a certificate change for the digital signing of AnyDesk clients is pending. According to my current observations, it is heading towards a "revoke chaos" – from Feb. 14, 2024, the old certificate of "philandro Software GmbH" will be invalid. Clients new signed with this old certificate should then no longer be able to run. By the way, have you noticed that the phrase "the hack took place at the end of December 2023" has also been canceled and is now referred to as "December 2023"?


Advertising

The drama with the AnyDesk hack

I have traced the case of the AnyDesk hack, which turned into a drama, here on the blog (see the links at the article's end). Based on my suspicion at the end of January 2024, that the "technical problems" at AnyDesk were the result of a hack, there has been clarity since February 2, 2024. On this date, AnyDesk confirmed a hack of its production environment, which also resulted in the loss of source codes and probably private keys for digitally signing binary files.

Tough information for the public

Since my first report, AnyDesk has been very reluctant to disclose details to the public – usually only when new insights are reported here on the blog or in derived articles from other media. For example, it is now known that this hack was noticed on December 20, 2023 – something I first picked up on here in the blog (see AnyDesk hack already noticed on December 20, 2023? – Part 9). To my knowledge, customers have not yet been informed about the incident.

New wording in the FAQ

In this context, it is advisable to pay attention to word nuances. AnyDesk published an FAQ on the incident on February 7, 2024. At that date it read:

"Diligent forensic investigation revealed that the incident had started in late December 2023."

as one blog reader noted in this comment. However, in my blog post Part 9, I raised a suspicion that the attack could have taken place much earlier. The keywords were Atlassian, a product that had vulnerabilities that were exploited in November 2023. And AnyDesk uses Atlassian products in its production environment.

While writing this blog post, I took another look at AnyDesk's FAQ. It is interesting to note that AnyDesk's FAQ introduced new wording with the update of February 9, 2024. The passage found there reads now:


Advertising

"Our forensic investigation has revealed that the incident started in December 2023."

There are sometimes people who accuse me of "too much speculation here on the blog". But I interpret the above nuances in two ways. Firstly, it is becoming apparent that I was right with my assumptions, which were often formulated as questions. And secondly, AnyDesk no longer upholds the statement "The attack began on December 20, 2023" or "The attack began at the end of December 2023". In other words, there are probably signs that the attack was launched much earlier than the end of December 2023.

Status of the certificate revoke

Let's get to the heart of today's article. In the hack, it cannot be ruled out that the private keys for the certificates used to digitally sign binary files (AnyDesk client) have also been leaked. AnyDesk communicated on February 2, 2024 that the certificates for digitally signing the clients would be revoked "within 2 weeks".

New client, new certificate

In the meantime, AnyDesk had started to digitally sign the AnyDesk Client 8.0.8 for Windows with a new certificate issued to AnyDesk GmbH. However, the Customs clients were still signed with the old certificate of "philandro Software GmbH" with validity from December 13, 2021. I wrote something about this in the blog post AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7.

Old certificate revoked

Due to the reporting here in the blog, a third party contacted the certificate issuer DigiCert, pointed out the facts and asked for a review. DigiCert then declared the old certificate of "philandro Software GmbH" invalid. I had confirmed this in the blog post nyDesk hack confirmed as of December 2023; old certificate recalled – Part 10. There are some statements in comments  that software signed with the old certificate has already been blocked in Windows Defender – and it is only a matter of time before the digital certificate is declared invalid by Windows or other operating systems and the launch of clients signed in this way is prevented.

Custom clients can no longer be created

It was already indicated in the comments in my German blog: AnyDesk has now deactivated the ability for creating new custom clients in its customer portal. Olaf wrote that since February 9, 2024 (from late afternoon) he could no longer create a custom client in the portal (I) because the function was deactivated (the relevant view was grayed out). Confirmed by another user.

New versions to come

The FAQ from AnyDesk explains how users should secure AnyDesk clients and ensure that infected versions are not used:

…, we will shortly be issuing software updates for all version and custom clients with a new certificate.

Therefore, we are asking customers to update their AnyDesk version as soon as the updates are available. Once the new software updates have been rolled out, current certificates will be revoked.

The intention is to roll out new client versions with a new certificate and revoke the old certificate. AnyDesk 8.0.8 with a new certificate will be available for Windows. Furthermore, there is said to have been an automatic update of the AnyDesk client to version 7.0.15 in the stable channel.

Currently, however, the AnyDesk Custom Client version 7.0.14 is still available and an update is planned. The on-premises clients are also still stuck on version 7.0.14. There is probably the page Update AnyDesk, where it is described how the clients can be updated. But the old certificate will be revoked on February 13, 2024. Only binary files signed before December 19, 2023, with the old "philandro Software GmbH" certificate will be valid.

Now it seems that AnyDesk has startet to generate new clients signed with a new certificate. I will cover this in a new article.

Articles:
AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1
AnyDesk hack undercover – more information and thoughts – Part 2
AnyDesk hack undercover – Suspicious cases and more – Part 3
AnyDesk hack undercover – Access data offered for sale – Part 4
AnyDesk hack – A review – Part 5
AnyDesk hack – Review of the German CERT BSI report – Part 6
AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7
AnyDesk hack – more details (FAQ from Feb. 5, 2024) – Part 8
AnyDesk hack already noticed on December 20, 2023? – Part 9
AnyDesk hack confirmed as of December 2023; old certificate recalled – Part 10
AnyDesk hack: Revoke chaos with old certificates? – Part 11
AnyDesk hack: Newly signed clients available; what are your experiences? – Part 12


Cookies helps to fund this blog: Cookie settings
Advertising


One reply

Leave a Reply

Your email address will not be published. Required fields are marked *