It’s not very often that a company acknowledges a certificate-related breach. And in the recent AnyDesk cyberattack, the company did not officially disclose that certificates had been misused. However, they did tip their cards a bit when they revealed that they had rotated all certificates as a “precautionary” measure. Why is this significant? AnyDesk is a popular remote access solution used by the likes of Samsung, NVIDIA, Siemens, and more than 170 thousand clients around the world.
AnyDesk's team detected the breach when they noticed unusual activities within their internal network. A security assessment confirmed that their systems had been penetrated by unidentified individuals. The specifics of the stolen data were not disclosed by the company. However, BleepingComputer suggested that the culprits likely accessed both the source code and the private keys used for code signing.
The attackers' focus on code signing keys suggests they were aiming for a widespread attack by exploiting AnyDesk to spread malware to its users and partners. These keys serve as robust digital identities for machines—if software is verified with such a trusted identity, it signals other systems to consider it safe, enabling malware to execute unchallenged. Essentially, a legitimate code signing certificate provides attackers with unfettered access, a tactic we've seen used extensively before.
For instance, the SolarWinds incident is a stark example, where intruders breached the development environment and inserted malicious code. Because the code was signed, it was distributed and trusted by thousands of entities, including the US government and Microsoft. Similarly, in NVIDIA’s 2022 attack [bleepingcomputer.com], compromised code signing certificates were promptly used post-breach to target other organizations.
Bleeping Computer also reported that the attack began on January 29 and lasted until February 2, compelling AnyDesk to prevent access to its client software. This effectively resulted in a four-day service interruption, causing inconvenience for its customers. In the aftermath, AnyDesk has recommended its users to upgrade to the latest software version and to reset their passwords, potentially causing further service disruptions.
AnyDesk has reassured its customers that the application remains secure and that there's no indication of the incident impacting end-user devices. "We can confirm that the situation is under control and AnyDesk is safe to use. Please ensure you are utilizing the most recent version of the app with the updated code signing certificate," advised the company.
The company's statement acknowledges that authentication tokens were not compromised; nonetheless, as a security measure, all passwords to the web portal have been reset, encouraging users to update theirs. Out of an abundance of caution, the company has also revoked all security-related certificates and has reinstated the systems affected. Moreover, AnyDesk is in the process of invalidating all previous code signing certificates and is already replacing them with new ones.
In the longer term, AnyDesk customers will be the first port of call for threat actors. Venafi VP of security and threat intelligence, Kevin Bocek warns that “Companies can be slow to switch over to newer version of software. Threat actors will take advantage of this apathy and use the stolen code signing certificates to masquerade as AnyDesk and infiltrate customer networks.”
“For all businesses this is one more reminder that machine identities, like TLS certificates, are everywhere,” observes Bocek. “We must have visibility over which ones are used and automation to change them out quickly. Whether it’s because a CA issue, Google’s 90 day mandate, more cloud-native software, or even post quantum readiness, there’s only going to be more need to change certificates out quickly.”
Bocek also notes that businesses must be prepared to act and have machine identity management built into their normal, everyday, business process—just like we already do for customer and workforce identity. Bocek wonders why, “If you ask a CISO if they can change user passwords quickly, and ask the same CISO if they can change certificates quickly, you’re guaranteed to get different answers. And in a world of more AI and cloud computing, machines are only becoming more and more important to business growth and profitability.”