This is some text inside of a div block.
Glitch effect

Threat Advisory: Possible AnyDesk Stolen Code Signing Certificate

|
Contributors:
Glitch effectGlitch effectGlitch effect
Glitch banner

UPDATE 02FEB2024 @ 1713 EST

On February 2, the online information security community came alive with a buzz and rumor: the AnyDesk remote control software provider may have been compromised. That morning, this was all speculationbut corroborated with an unexpected 48-hour maintenance period and a sudden change to their code signing certificate in the latest AnyDesk software version 8.0.8.

UPDATE  02FEB2024

AnyDesk has released an official statement "To date, we have no evidence that any end-user devices have been affected. We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate."

What Is AnyDesk? 

AnyDesk is a remote control software, similar to others like TeamViewer, LogMeIn, and other remote desktop solutions often used for tech support and remote troubleshooting. The program offers an end user the ability to connect to another user’s computer and control their mouse and keyboard, interacting with their device as if they were sitting at their desk.

Oftentimes, AnyDesk is used as a remote monitoring and management (RMM) utility, which may, with ill intent, be abused by threat actors dual-serving as a remote access trojan (RAT). However, the concern of AnyDesk being compromised does not mean this conversation is about RMMs or RATs… it is a conversation of signed programs and certificate legitimacy.

Mitigation Guidance

A handful of modern antivirus programs may naturally trust an application with a legitimate, signed certificate. In this scenario, any rogue or malicious program that could be signed with the AnyDesk certificate might fly under the radar.

Out of an abundance of caution, we recommend you review or audit any anomalous use of AnyDesk, and especially any other running applications or programs with the same certificate details as AnyDesk. 

Florian Roth has shared a community YARA rule to detect binaries that are signed with a potentially compromised AnyDesk signing certificateyour mileage may vary.

As a reminder, this possible breach is still a rumorAnyDesk has not made any public or official statements addressing these concerns.

What Is Huntress Doing?

In an effort to act proactively, Huntress is engaging detection efforts to rapidly identify anomalous activity from running processes using a potentially compromised AnyDesk certificate.

This detection capability will be incorporated into our managed EDR solution. If you are a Huntress partner, we are continuing to monitor and protect your environments.

We’ll be adding more updates to this blog as we uncover more information – stay tuned!

Categories
Share

Sign Up for Blog Updates

Subscribe today and you’ll be the first to know when new content hits the blog.

By submitting this form, you accept our Privacy Policy
Huntress at work
Threat Analysis
Threat Analysis