Remote access software maker AnyDesk has revoked all security-related certificates and is urging users to change their passwords in the wake of a cyberattack that compromised some of its systems.

The Germany-based company in a relatively brief statement said that security break – which executives stressed wasn’t a ransomware attack – was detected during a security audit that found that some of the company’s production servers were compromised.

Cybersecurity firm CrowdStrike was called in help remediate the situation and law enforcement authorities were contacted, the company said.

“We have revoked all security-related certificates and systems have been remediated or replaced where necessary,” the executives wrote in the statement. “We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”

At the same time, they noted that AnyDesk’s systems don’t store private keys, security tokens, or passwords that could be abused to connect to end-user devices, though the vendor is revoking all passwords to its my.anydesk.com web portal.

Change the Passwords

The company urged users to change their passwords if the same credentials are used elsewhere.

“To date, we have no evidence that any end-user devices have been affected,” the executives wrote, adding that users should ensure that they are “using the latest version, with the new code signing certificate.”

There was no mention when the breach was detected, how long the hackers were in their systems, or what data may have been stolen, although there was a report that the attackers stole source code and code-signing certificates.

Credentials for Sale

A day after AnyDesk released its statement, Resecurity researchers wrote that they saw multiple threat actors selling access to compromised AnyDesk credentials on cybercrime forums. One hacker, which used the alias “Jobaaaaa,” put more than 18,000 AnyDesk customer credentials up for sale on a dark web forum called Exploit[.]in.

Researchers with Resecurity’s Hunter team contacted Jobaaaaa about the data, with the hacker saying the information could be used for technical support scams and phishing. They wrote that the account credentials were likely stolen through infostealer malware.

“The samples provided by the threat actors were related to compromised access credentials that belong to various consumers and enterprises, and which grant access to the AnyDesk customer portal,” they wrote. “As a security measure, the threat actor sanitized some of the passwords. The threat actor offered 18,317 accounts for $15,000 to be paid in cryptocurrency.”

The hacker also agreed to a deal through escrow on Exploit.

“Resecurity reached out to the majority of the contacts identified as potential victims and confirmed they had used AnyDesk products recently or long ago,” wrote the cybersecurity firm, which also shared screenshots. “The threat actor didn’t share any additional information.”

They also noted that timestamps visible on the screenshots shared by the threat actor said that the unauthorized access occurred February 3, a day after AnyDesk confirmed the security breach. Either some customers still hadn’t changed their access credentials or the bad actors were still able to pull data out of the systems. The researchers also said that while interacting with the attackers, they learned that most of the exposed AnyDesk accounts listed on the dark web weren’t protected with two-factor authentication.

“The compromised AnyDesk credentials listed for sale on the Dark Web create a significant threat for the company’s individual and enterprise customers,” Resecurity wrote. “The spectrum of risks associated with [these] leaks has proliferated exponentially, with attack scenarios ranging from the use of this data in downstream bank fraud and scam campaigns to targeted phishing and other types of malicious cyber activity.”

A Far Reach

AnyDesk said it has more than 170,000 customers – including Nvidia, Siemens, and the United Nations – using its software, which enables users to remotely control computers and other devices. It also delivers VPN and file transfer capabilities.

Nick Hyatt, director of threat intelligence at cybersecurity vendor Blackpoint Cyber, stressed the importance of being proactive about changing passwords for accounts that may have been compromised. He pointed to recent security incidents involving Cloudflare and Microsoft as examples of how threat groups are looking to compromise credentials. Hewlett Packard Enterprise also was the victim of the same group that attacked Microsoft.

“A majority of cybersecurity incidents start by attacking the human element – whether through credential-based attacks or social engineering,” Hyatt said. “When a security incident like this occurs, it’s important to be diligent about changing associated passwords, ensuring they are unique and complex, and enabling multifactor authentication [MFA] where available.”

Resecurity echoed the need for security measures like MFA, adding that for enterprises, “as a proactive measure, it would be prudent to monitor unexpected password and MFA changes for customers’ accounts, suspicious sessions, and possible emails sent on behalf of other entities referencing AnyDesk account information.”