AnyDesk Software, the Germany-based developer of the popular remote access software, informed customers on Friday about a significant security breach.
According to the company, a security audit triggered by suspicious activity led to the discovery that AnyDesk production systems were compromised. Little information has been shared on the attack itself, but AnyDesk has clarified that the incident “is not related to ransomware”.
“We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one,” AnyDesk said.
It added, “Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end user devices. As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere.”
AnyDesk called in CrowdStrike to help investigate and remediate the incident and authorities have been notified. The firm claims to be confident that AnyDesk is safe to use, but urged customers to ensure that they are using the most recent version with the new code signing certificate.
The brief description of the incident suggests that the company may have been targeted in an attempted supply chain attack. These types of attacks could have severe consequences as they can allow threat actors to deliver trojanized software to the victim’s customers.
AnyDesk says its software has been downloaded more than 800 million times by users around the world.
Cybersecurity firm Resecurity reported shortly after the breach came to light that an individual has offered to sell the credentials of more than 18,000 AnyDesk customers on a prominent cybercrime forum. The seller is asking for $15,000 in cryptocurrency.
The credentials were apparently obtained with the aid of information-stealer malware that had compromised AnyDesk users’ systems. While the sale of credentials does not appear to be directly related to the breach, Resecurity believes cybercriminals are in a rush to monetize the credentials before they are changed by users as recommended by the vendor in response to the breach.