AnyDesk: They have signed the client with an old certificate (April 24, 2024)

Stop - Pixabay[German]Brief information for AnyDesk (remote desktop software). On April 24/25, 2024, the remote maintenance provider AnyDesk rolled out a "rotten" version of its AnyDesk client, which is blocked by Microsoft Defender under Windows. The background to this is that the client was digitally signed with a revoked certificate. Several blog readers have pointed out the problem to me, but I have only just got around to addressing it in the blog. On April 29, 2024 my test confirmed, that there still versions of anydesk.exe downloadable from the internet, that has been signed with the revoked certificate. Here is a brief summary of the continuation of the chaos surrounding AnyDesk.


Advertising

Reader reports about blocked AnyDesk client

There was once this comment by German blog reader Harry on my German blog post Microsoft Defender blockt Anydesk-Clients (28. Februar 2024), which mentioned, that Microsoft Defender has been blocking the anydesk clients of the remote desktop software in Windows. The problem, that I mentioned at the end of February 2024 has now reappeared on April 24/25, 2024. Harry wrote:

The never-ending story of AnyDesk failure continues: today, 4/25/2024, freshly downloaded. Defender complains, but you can start it with "Run anyway". However, it can't be installed, because Windows refuses to do so.

and notes that the Anydesk.exe has a certificate dated 24.4.2024. This means that the client has just been signed with a certificate from AnyDesk. Blog reader Drago also confirms the problem and writes that he gets a "nice red warning".

Explanation of the behavior

German blog reader Kevin H. called me briefly on April 25, 2024 and outlined the issue – later also by e-mail. Kevin wrote to me that they have been monitoring this software since the security incident at AnyDesk. Therefore they noticed immediately, that a new client was presumably released on April 24, or 25, 2024, that was causing trouble with at least Windows Defender.

Kevin confirmed that this AnyDesk client triggers an alarm with some antivirus providers and that Windows Defender prevents the AnyDesk client from running. The reader uploaded the client to Virustotal and received this feedback.

AnyDesk-Client auf VirusTotal
AnyDesk client at VirusTotal


Advertising

ClamAV reported "Revoked.CRT.AnyDesk_Compromise-1002" as the reason, i.e. something happens with the revoked certificate. Kevin wrote: "It is noticeable that the already revoked signature is used here again, which is hopefully the only reason that AV systems sound the alarm – but such a slip-up is not a confidence-inspiring circumstance…". The reader sent me the following screenshot of the file properties, which proves the problem:

AnyDesk-Client Digitale Signatur

The property pages says, the software (AnyDesk client) was signed on April 24, 2024 with an old certificate of philandro Software GmbH, which was withdrawn after a cyber attack. Later that afternoon, the reader contacted me again and noted that AnyDesk had probably also noticed the error. In the meantime, an exe file had been downloaded for the client, which was signed "a few minutes ago" with the AnyDesk Software GmbH Cert.

AnyDesk-Client Digitale Signatur

This is the valid certificate, which is then also classified as inconspicuous by the virus scanners on VirusTotal. The bottom line is, that the vender used the old and revoked certificate for signing its client, and that triggered the virus scanners' alarms.

Addendum: The reader gave me two more places on the web where the AnyDesk client 8.0.10.0 could be downloaded. I downloaded the version on 29.4.2024 and checked the digital signature. They were signed with "philandro Software GmbH" on April 24, 2014, 14:53.30.

The background

The background to the certificate chaos is the fact that the provider AnyDesk was the victim of a cyberattack on its production systems in December 2023. However, the whole thing only came to light in bits and pieces at the beginning of February 2024 – possibly also due to the reporting here in the blog (see links at the end of the article). AnyDesk could not rule out the possibility that the keys for the certificates used to digitally sign files had been lost.

The old certificates were therefore revoked and the provider was busy in February providing new clients with updated digital signatures. This is now becoming a problem because AnyDesk got mixed up with the certificates in February 2024 and now in April 2024 when "building the new clients". As a result, the binary files were classified as malicious by AV programs and placed in quarantine.

Articles:
AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1
AnyDesk hack undercover – more information and thoughts – Part 2
AnyDesk hack undercover – Suspicious cases and more – Part 3
AnyDesk hack undercover – Access data offered for sale – Part 4
AnyDesk hack – A review – Part 5
AnyDesk hack – Review of the German CERT BSI report – Part 6
AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7
AnyDesk hack – more details (FAQ from Feb. 5, 2024) – Part 8
AnyDesk hack already noticed on December 20, 2023? – Part 9
AnyDesk hack confirmed as of December 2023; old certificate recalled – Part 10
AnyDesk hack: Revoke chaos with old certificates? – Part 11
AnyDesk hack: Newly signed clients available; what are your experiences? – Part 12
Microsoft Defender blocks Anydesk clients (since 28 February 2024)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *