Understanding the Incident at AnyDesk - Threat Intelligence Lab

As a cybersecurity expert, I find the recent incident at AnyDesk particularly instructive.

The company faced a critical situation where their systems showed signs of a security incident¹. Realizing the gravity of the situation, they promptly conducted a security audit.

This proactive step led to the discovery of compromised production systems – a serious concern for any organization.

Remediation with CrowdStrike

Recognizing the severity of the situation, AnyDesk acted swiftly by activating a remediation and response plan.

They enlisted the help of cybersecurity experts from CrowdStrike², a wise move considering the complexity of such incidents.

The involvement of such seasoned experts ensured a comprehensive and effective approach to handling the crisis.

Impressively, the remediation plan concluded successfully, showcasing the efficiency and expertise of all parties involved.

Strategic Response and Preventive Measures

In such scenarios, it’s crucial to go beyond just fixing the immediate problem.

AnyDesk took several strategic steps to prevent further issues. They notified the relevant authorities³, a step that ensures transparency and compliance with legal obligations.

Furthermore, they revoked all security-related certificates and replaced systems where necessary. This decision is a textbook example of thorough remediation.

Anydesk certificates change

AnyDesk didn’t stop at system restoration; they took proactive measures to enhance security. They started by replacing the previous code signing certificate for their binaries.

Old	0dbf152deaf0b981a8a938d53f769db8
New	0a8177fcd8936a91b5e0eddf995b0ba5

Anydesk certificates change after incident

It’s a critical step to ensure that all software components are trustworthy and secure. Additionally, in an abundance of caution, they decided to revoke all passwords to their web portal and advised users to change passwords used elsewhere.

This move is a best practice in cybersecurity, preventing potential cascading effects from compromised credentials.

Reassurance to Users and Call for Vigilance

Lastly, AnyDesk confirms, based on their current knowledge, that the security breach did not affect any end-user devices.

They’ve reassured users that the situation is under control and that AnyDesk remains safe to use⁴. However, they wisely advise users to update to the latest version of their software, which includes the new code signing certificate.

This advice is in line with best practices in digital security – always keep your software updated to the latest version for enhanced security.

Conclusion and Recommendations

As a cybersecurity and threat intelligence professional, I recommend that users and organizations alike take note of AnyDesk’s incident.

It highlights the importance of rapid response, thorough remediation, and proactive security measures.

Regular security audits, swift incident response plans, and ongoing collaboration with cybersecurity experts are essential components of a robust cybersecurity strategy.

Additionally, keeping software updated and being vigilant about password security are simple yet effective practices that can significantly bolster your digital security posture.

AnyDesk Incident FAQ

What happened in the recent security incident at AnyDesk?

AnyDesk discovered indications of a security incident in their systems. A subsequent security audit revealed that some production systems were compromised. The incident did not involve ransomware.

How did AnyDesk respond to the incident?

AnyDesk promptly activated a remediation and response plan, involving cybersecurity experts from CrowdStrike. They successfully concluded the plan and worked closely with the relevant authorities to manage the situation.

Were any security measures revoked or changed as a result?

Yes, AnyDesk revoked all security-related certificates and systems have been remediated or replaced where necessary. They also announced the revocation of the previous code signing certificate for their binaries, replacing it with a new one.

Has there been any compromise of private keys, security tokens, or passwords?

AnyDesk designs its systems to avoid storing private keys, security tokens, or passwords. As a precaution, they have revoked all passwords to their web portal, my.anydesk.com, and recommend that users change their passwords if they use the same credentials elsewhere.

Were any end-user devices affected by this incident?

As of now, there is no evidence that any end-user devices have been affected. AnyDesk confirms that the situation is under control and their service is safe to use.

What are the key learnings from this incident for users and organizations?

This incident underscores the importance of rapid incident response, effective collaboration with cybersecurity experts, and the implementation of robust security measures. Regular updates of software and vigilance in password security are essential practices for safeguarding against such incidents.

https://anydesk.com/en/public-statement ↩︎
https://www.crowdstrike.com/en-us/ ↩︎
https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/ ↩︎
https://status.anydesk.com/ ↩︎