The compromise of AnyDesk, a prominent remote desktop application distributed by AnyDesk Software GmbH, has caused quite a stir in the cybersecurity domain. This disclosure raises concerns given the software’s proprietary nature, offering platform-independent remote access to personal computers and various devices.
On February 2, 2024, the company disclosed that a cyberattack on AnyDesk compromised production systems. The prospect of such software falling into the hands of cybercriminals is a significant source of concern, given its potential to provide unauthorized access to personal computers and other devices utilizing the host application.
The cyberattack on AnyDesk came to light through a public statement, detailing the results of a security audit conducted in response to indications of a breach.
“Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems. We immediately activated a remediation and response plan involving cybersecurity experts CrowdStrike,” read the official statement.
While AnyDesk reassured users that the situation was under control, the crucial question lingers: what does this precisely entail? A thorough examination sheds light on the implications and potential repercussions stemming from this cybersecurity incident.
Cyberattack on AnyDesk: Credentials Offered on Dark Web
As a preemptive measure, AnyDesk urged all users to update their passwords, particularly those using identical credentials elsewhere. “As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere,” reads the official statement.
However, the aftermath of the cyberattack has taken a more complex turn, with threat actors identified on the Dark Web selling access to compromised AnyDesk credentials.
Resecurity, the cybersecurity firm, identified multiple threat actors involved in this illicit trade. One such actor, using the alias “Jobaaaaa,” listed over 18,000 AnyDesk customer credentials for sale on the Dark Web forum Exploit[.]in. The threat actor revealed that the compromised data was ideal for technical support scams and phishing activities.
The discussion surrounding the AnyDesk data took an intriguing turn when a threat intelligence platform stated that the data being traded on the dark web did not stem from the recent breach but rather from historical infostealer infections.
This sparked discussions on social media platform X about the timing and motive behind the credential sale, with Hudson Rock proposing that threat actors might be capitalizing on the situation—an assertion supported by Resecurity.
Resecurity further emphasized that, as of February 4, numerous accounts persisted without updated passwords and lacked the additional layer of security provided by two-factor authentication (2FA).
The provided examples from the threat actors to the cybersecurity firm were associated with compromised access credentials for both individual consumers and enterprises, allowing entry into the AnyDesk customer portal. As a security measure, the threat actor obscured some of the passwords. The actor suggested selling 18,317 accounts for $15,000, payable in cryptocurrency. Furthermore, there was a willingness to complete the transaction through escrow on Exploit.
These compromised accounts, posed a potential threat, particularly considering the absence of 2FA on a majority of them.
Potential Implications and Analysis
The compromised credentials not only pose a direct risk to AnyDesk users but also raise concerns about potential downstream cyber threats.
The information gleaned from the AnyDesk portal could provide threat actors with sensitive details about users, including license keys, active connections, session durations, customer IDs, contact information, and more.
Moreover, the lack of 2FA on the majority of exposed accounts amplifies the risk, especially for IT administrators who frequently use AnyDesk. This situation creates a potential gateway for a devastating supply-chain attack, affecting AnyDesk’s enterprise customers.
The timing of the unauthorized access, illustrated by shared screenshots, indicates that some users had not changed their access credentials post-incident disclosure.
The complexity of implementing remediation measures for a large user base suggests that proper planning and threat modeling are essential for effective cybersecurity.
Dark Web Activity and Potential Misuse
The availability of compromised data on the Dark Web could fuel various cybercriminal activities, including targeted phishing campaigns.
Cybercriminals armed with detailed customer information could launch sophisticated attacks, potentially leading to devastating consequences, akin to the SolarWinds-style attack.
AnyDesk had informed its customers about planned maintenance starting on January 29, disabling login functionality during this period.
The company restored login functionality by February 1, with potential cybercriminals looking to exploit the situation before proactive measures are taken.
Historical Scams and Continued Threats
Apart from the recent cyberattack, AnyDesk has been a target for online scammers who have previously abused the platform in various fraudulent schemes.
Scenarios involving fake Microsoft technicians, impersonation of legitimate companies, and fictitious AnyDesk support staff have been reported.
The compromised credentials may open the door for scammers and cybercriminals to launch new attacks, with the potential for increased success in account compromise due to additional customer details.
Dark Web Threat
The AnyDesk cyberattack highlights the evolving landscape of cyber threats and the need for constant vigilance. The compromised credentials listed on the Dark Web pose a significant risk to individual and enterprise customers.
The cyberattack on AnyDesk highlights the importance of timely password resets, the implementation of 2FA, and heightened awareness to mitigate potential risks associated with cyberattacks.
AnyDesk users are strongly advised to update their passwords, enable 2FA, and exercise caution against potential phishing attempts.
The cyberattack on AnyDesk coincides with attacks on major entities like Cloudflare, Microsoft, and Hewlett Packard Enterprise, potentially linked to a nation-state actor (Midnight Blizzard / Nobelium).
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Upcoming Webinar
Threat Landscape Reports 2025
Latest Cyber News
Web Stories
