AnyDesk Attack Response Stirs Threat Analyst Criticism and Doubts

• AnyDesk is assuring customers that its remote monitoring and management tool remains secure despite its move to reset credentials en masse following an attack.
• “The situation is under control and it is safe to use AnyDesk,” the company said in an updated blog post and FAQ it published Monday. “We have no evidence that any customer data has been exfiltrated. Again, we also have no evidence that any end-user devices have been affected by this incident.”
• AnyDesk said it was first alerted to malicious activity in some of its systems in mid-January. It found evidence of compromise as part of its remediation and response, which included assistance from incident response firm CrowdStrike.

Experts are concerned about the severity of the incident and are watching for potential follow-on compromises.

The remote access tool, which has more than 170,000 customers globally, maintains the attack was not ransomware based and there was no extortion attempt. The company said session hijacking is “extremely unlikely” and urged customers to ensure they’re using the latest versions of the software.

Doubts linger over what prompted AnyDesk to revoke all security-related certificates, including its code signing certificate, and initiate a mass reset of all passwords to its web portal.

“This seems to be a significant incident – companies don’t just reissue code-signing certificates without reason,” Nick Hyatt, director of threat intelligence at Blackpoint Cyber, said via email. Researchers at SentinelOne and Huntress have also raised concerns about AnyDesk’s response and risks awaiting its customers.

AnyDesk said its assessment found no malicious modifications to its code and determined credential compromise was only a theoretical risk, but a possibility it cannot rule out.

“This is unconvincing at best, and wishy-washy at worst. Either you do know and can prove it, or you don’t know,” Hyatt said.

AnyDesk hasn’t disclosed when the threat activity was contained, how the threat actor gained access to its systems, and what specific systems were compromised during the attack.

Industry concerns about potential downstream compromise are heightened because AnyDesk and other remote access tools are frequently targeted by ransomware actors.

“AnyDesk is extremely common in ransomware attacks,” Hyatt said. “Threat actors love remote access tools, especially ones that don’t require any level of verification to use.”

Blackpoint has observed more than 2,000 instances of unauthorized use of AnyDesk in monitored environments since last May, according to Hyatt.

While that activity is not related to the recent attack against AnyDesk’s systems, it’s an example of how threat actors use remote access tools to gain footholds in targeted victim environments.

Read the original article by Cybersecurity Dive.