AnyDesk hacked, details unclear

Of the hack, AnyDesk said it found 'no evidence that any end-user devices have been affected.' But researchers said they saw AnyDesk customer credentials for sale on the dark web.

AnyDesk on Friday said it "found evidence of compromised production systems" in its network, but ransomware was not involved.

The remote access software provider published a disclosure post to its website late last week describing the incident. AnyDesk said it activated a remediation and response plan as well as engaged CrowdStrike. It said the remediation portion "has concluded successfully." No timeline for the attack was provided, nor clarification regarding what type of cyberattack the vendor experienced.

In addition, AnyDesk has revoked all security-related certificates, and "systems have been remediated or replaced" where necessary. As of Friday, the company had not revoked the previous code-signing certificate for its binaries but said it was in the process of doing so.

SentinelOne said in a customer advisery that "it is strongly recommended that all users install the latest version of the software (version 8.0.8 for Windows, other binaries are still using the old certificate), as the old code signing certificate will soon be revoked."

As a precaution, AnyDesk said it revoked all passwords to its web portal and recommended users change their passwords if identical credentials are used elsewhere.

"To date, we have no evidence that any end-user devices have been affected," the post read. "We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate."

According to a blog post from security vendor Resecurity, multiple threat actors have listed more than 18,000 AnyDesk customer credentials to dark web forum Exploit[.]in. "These compromised account credentials are believed to have been obtained via infostealer infections," Resecurity's post read.

TechTarget Editorial asked AnyDesk for clarification regarding whether certificate replacement had been completed as well as a response to reports of credentials being sold on the dark web. No response was received by press time.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.

Dig Deeper on Identity and access management