AnyDesk revokes signing certs, portal passwords after crooks sneak into systems

AnyDesk has copped to an IT security "incident" in which criminals broke into the remote-desktop software maker's production systems. The biz has told customers to expect disruption as it attempts to lock down its infrastructure.

The application developer, which is said to have more than 170,000 customers worldwide, disclosed the intrusion in a statement on its website late on Friday, claiming it is "not related to ransomware."

While there's no specific mention of stolen data, some infosec analysts have pointed out that the disclosure indicates that criminals got hold of AnyDesk's code signing certificate. That would allow miscreants to pass off malware as legit AnyDesk tools to unsuspecting marks.

"We have revoked all security-related certificates and systems have been remediated or replaced where necessary," AnyDesk said. "We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.

"As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere."

According to infosec world watchers, criminals are selling AnyDesk customer credentials on the dark web, though these may not be related to this latest heist. AnyDesk says it has hired CrowdStrike to assist with remediation and incident response, and notified the authorities.

• 'Strictly limit' remote desktop – unless you like catching BianLian ransomware
• Admin behind E-Root stolen creds souk extradited to US
• Lurie Children's Hospital back to pen and paper after cyberattack
• Researchers remotely exploit devices used to manage safe aircraft landings and takeoffs

"We can confirm that the situation is under control and it is safe to use AnyDesk," the statement continued. "Please ensure that you are using the latest version, with the new code signing certificate."

Other security shops warned that the pillaging has already begun with "multiple threat actors" selling access to stolen AnyDesk credentials.

As of February 3, a day after AnyDesk disclosed the incident, Resecurity said one of these miscreants had listed more than 18,000 AnyDesk customer credentials for sale:

Nick Hyatt, director of threat intelligence at managed detection and response firm BlackPoint, told The Register that the credentials are legitimate, but not newly stolen.

"They are part of a compilation of credentials amassed from previous infostealer dumps," Hyatt said, adding that it's a good example of criminals using new breaches to make a buck on previously stolen secrets. ®