{"id":33024,"date":"2024-02-03T00:10:50","date_gmt":"2024-02-02T23:10:50","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=33024"},"modified":"2024-02-20T11:16:38","modified_gmt":"2024-02-20T10:16:38","slug":"anydesk-confirmed-they-have-been-hacked-in-january-2024-production-systems-affected","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/02\/03\/anydesk-confirmed-they-have-been-hacked-in-january-2024-production-systems-affected\/","title":{"rendered":"AnyDesk confirmed, they have been hacked in January 2024, Production systems affected"},"content":{"rendered":"

\"Sicherheit[German<\/a>]My fears have been confirmed. The days-long \"maintenance\" of the AnyDesk websites is the result of a cyber attack. AnyDesk's production systems have been hacked. All AnyDesk software must be considered compromised. After the German CERT (BSI) sent out a confidential warning to users of critical infrastructures, I have received finally the incident report from AnyDesk. Below I have put together all the information I now have in one article.<\/p>\n

<\/p>\n

The history of this story<\/h2>\n

\"\"On January 25, 2024, a reader contacted me and complained about constant \"malfunctions\" with the AnyDesk remote maintenance software. The reader was no longer able to establish a connection from January 20, 2024. In addition, license keys were suddenly no longer accepted. AnyDesk support only stated that there were \"currently problems with the server connections\". Below is a screenshot of a Statement (in German) from the AnyDesk support.<\/p>\n

\"AnyDesk-Supportantwort<\/p>\n

I've covered the case in my German blog post St\u00f6rung bei AnyDesk, jemand betroffen?<\/a>, but I wrote not an English version, because I received feedback from my blog readership, that they didn't noticed something. However, the reader mentioned above told me about issues still occuring, and as of January 30, 2024, AnyDesk's website was suddenly in maintenance mode and no longer accessible.<\/p>\n

Who or what is AnyDesk?<\/h3>\n

AnyDesk is a provider that offers remote maintenance software under the same name. The product was developed by former TeamViewer employees and was long regarded as an alternative to this product. AnyDesk is used by many companies, with the provider claiming a total of 170,000 customers. Names such as 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS and the United Nations are also mentioned. AnyDesk is also integrated into some products.<\/p>\n

First indications of a hack<\/h3>\n

Due to a cryptic hint from an anonymous source that AnyDesk should no longer be used in critical environments, I wrote the German blog post AnyDesk und die St\u00f6rungen: Es ist wom\u00f6glich was im Busch<\/a> on February 1, 2024, where I raised the question of a hack.<\/p>\n

Later I added the English blog post\u00a0AnyDesk: Be careful in using that remote support software<\/a>.\u00a0Over the last two days, I several \"information fragments\" from various sources have trickled in to tell me that there is something suspicious.<\/p>\n

And it turned out that AnyDesk had replaced the certificates used for the digital signing of AnyDesk client version 8.0.8 on January 29, 2024, according to the changelog<\/a>.<\/p>\n

A confidential German CERT (BSI) warning<\/h3>\n

What I also found out was that the Federal Office for Information Security (BSI) had sent out a warning to the circle of operators of critical infrastructures this week, but had given it a TLP classification so that only a very small group of people were allowed to view it and not share it under any circumstances. Information on the TLP classification can be found here<\/a>. According to my information, the document was classified as TLP:AMBER+STRICT – I still don't know the content – but I knew that there had been a hack in which keys had been leaked.<\/p>\n

AnyDesk confirms successful cyber attack<\/h2>\n

In an \"incident report\" promised by AnyDesk and sent by e-mail a few hours ago, my suspicion that there had been a cyber attack is confirmed. The short incident report is available here<\/a>. AnyDesk confirms that a security check was carried out following indications of an incident in some of its own systems. This revealed evidence of compromised production systems.<\/p>\n

Incident at the end of January 2024?<\/h3>\n

The incidence report does not contain any dates, but according to my information, this review was probably initiated on January 29 or 30, 2024, which corresponds to the start of the maintenance phase on January 30, 2024. AnyDesk states that it immediately activated a remediation and response plan involving CrowdStrike's cybersecurity experts.<\/p>\n

Maintenance completed, authorities informed<\/h3>\n

The report also states that the remediation plan has been successfully completed. The relevant authorities have been notified and the company is working closely with the authorities. The company denies that this incident is a ransomware infection. This must have led to the above-mentioned BSI warning with the \"TLP:AMBER+STRICT\" block, which underlines the explosive nature of the incident.<\/p>\n

Certificates and passwords revoked<\/h3>\n

AnyDesk then revoked all security-relevant certificates and the systems were repaired or replaced where necessary, the report continues. This explains the days-long maintenance mode of the systems. The previous code signing certificate for AnyDesk binaries is now to be revoked shortly, and AnyDesk has already started to replace it with a new one, the provider writes.<\/p>\n

This confirms the observation that the AnyDesk client version 8.0.8 from January 29, 2024 was signed with a new certificate. The colleagues from Bleeping Computer, with whom I was still in contact yesterday, have named the old and new certificate used in this article<\/a>.<\/p>\n

User passwords should be changed<\/h3>\n

In the incidence report, AnyDesk writes \"As a precautionary measure, we have revoked all passwords for our web portal my.anydesk.com and recommend that users change their passwords if they use the same login details elsewhere.\" I had already given this advice yesterday here in the blog and advised users to stop using the remote maintenance software for the time being.<\/p>\n

No evidence of exploitation?<\/h3>\n

AnyDesk writes about this incident that there are no indications to date that end devices have been affected. They can confirm that the situation is under control and that AnyDesk can be used safely. Users should ensure that they are using the latest version with the new code signing certificate. The integrity and trust in our products is of utmost importance to the provider and we are taking this situation very seriously.<\/p>\n

AnyDesk concludes that the systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end-user devices.<\/p>\n

Final words<\/h2>\n

That's the conclusion of AnyDesk's statement, which I received by email at around 10:44 p.m. on February 2, 2024 – they had been working on them all day, as I had already been promised a meeting with their CEO that morning. When I phoned the German CERT BSI press officer on the morning of February 2, 2024, he didn't even want to confirm when the information would be made public. In Part 2, I would like to present some of the information I have received from various sources and put the whole thing into context.<\/p>\n

Articles:
\n<\/strong>AnyDesk confirmed, they have been hacked in January 2024, Production systems affected<\/a> – Part 1
\nAnyDesk hack undercover – more information and thoughts<\/a> – Part 2
\nAnyDesk hack undercover – Suspicious cases and more<\/a> – Part 3
\nAnyDesk hack undercover – Access data offered for sale<\/a> – Part 4
\nAnyDesk hack – A review<\/a> – Part 5
\nAnyDesk hack – Review of the German CERT BSI report<\/a> – Part 6
\nAnyDesk hack \u2013 Notes on exchanging certificates for Customs clients 7.x<\/a>\u00a0\u2013 Part 7
\nAnyDesk hack – more details (FAQ from Feb. 5, 2024)<\/a> – Part 8
\nAnyDesk hack already noticed on December 20, 2023?<\/a> – Part 9
\nAnyDesk hack confirmed as of December 2023; old certificate recalled<\/a>\u00a0\u2013 Part 10
\nAnyDesk hack: Revoke chaos with old certificates?<\/a>\u00a0\u2013 Part 11
\nAnyDesk hack: Newly signed clients available; what are your experiences?<\/a>\u00a0\u2013 Part 12<\/p>\n

Similar article:<\/strong>
\nSt\u00f6rung bei AnyDesk, jemand betroffen?<\/a>
\nAnyDesk: Be careful in using that remote support software<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]My fears have been confirmed. The days-long \"maintenance\" of the AnyDesk websites is the result of a cyber attack. AnyDesk's production systems have been hacked. All AnyDesk software must be considered compromised. After the German CERT (BSI) sent out a … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-33024","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=33024"}],"version-history":[{"count":14,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33024\/revisions"}],"predecessor-version":[{"id":33274,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33024\/revisions\/33274"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=33024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=33024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=33024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}