Home / Threat Intelligence bulletins / AnyDesk code signing certificate compromised and revoked 

 Target Industry 

Opportunistic and indiscriminate targeting. 

Overview 

AnyDesk, a leading remote desktop software provider, has confirmed a significant security breach in its production systems. Detected following suspicious activities, a security audit revealed the compromise, leading to the theft of source code and code signing certificates. This incident, while serious, was not a result of a ransomware attack. 

Impact 

The breach potentially endangers the integrity of AnyDesk’s software by allowing threat actors to create and distribute malicious versions of the software, leveraging the stolen code signing certificates. The company has taken steps to mitigate the immediate risks by revoking affected certificates and issuing new ones. 

Vulnerability Detection 

Organisations that use AnyDesk should perform a comprehensive audit of all instances of the AnyDesk software and remove or update any versions that are using the old AnyDesk code signing certificate. 

AnyDesk versions prior to 8.0.8 or do not use the certificate thumbprint 646F52926E01221C981490C8107C2F771679743A are a potential security risk. 

Containment, Mitigations & Remediations 

AnyDesk, in collaboration with CrowdStrike, has initiated a comprehensive response plan. They have remediated or replaced compromised systems and revoked all security-related certificates. A new code signing certificate is now in use, and previous versions of the AnyDesk software signed with the compromised certificate are considered unsafe. 

Threat Landscape 

This incident highlights the importance of robust cyber security measures and the potential risks associated with supply chain attacks. AnyDesk has confirmed over 800 million downloads worldwide. The cybersecurity firm Resecurity reported that credentials for over 18,000 AnyDesk customers were offered for sale on a cybercrime forum, though this sale appears not directly related to the breach. 

Threat Group 

The threat group responsible for the attack against AnyDesk is currently unknown. Quorum Cyber will monitor the situation and release any relevant updates. 

Additional information 

The following YARA rule can be employed to detect the revoked AnyDesk code signing certificate on disk. 


strings:  

  $sc1 = { 0D BF 15 2D EA F0 B9 81 A8 A9 38 D5 3F 76 9D B8 }  

  $s2 = “DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1” 


Additionally, the following Defender 365 Advanced Hunting query can be used to detect the presence of the revoked certificate in environments where appropriate logging has been configured. 


DeviceTvmCertificateInfo 

| where parse_json(IssuedBy).CommonName contains “DigiCert Trusted G4 Code” 

| where Thumbprint =~ “646F52926E01221C981490C8107C2F771679743A” 


 

Additional Reading  

BleepingComputer – AnyDesk says hackers breached its production servers, reset passwords 

AnyDesk Hacked: Revokes Passwords, Certificates in Response