Remote access firm AnyDesk forced a password reset for all my.anydesk.com customers after 18,000 user credentials were found up for sale in hacker forums for $15K.
A day after the maker of AnyDesk announced its production systems had been compromised, researchers said they discovered credentials belonging to thousands of the popular remote access tool’s customers. AnyDesk boasts 170,000 customers that range from small businesses to some of the world's largest companies.
In its incident response notice, AnyDesk said it activated a remediation plan and called in cybersecurity firm CrowdStrike after discovering the attack on its systems.
“The remediation plan has concluded successfully. The relevant authorities have been notified and we are working closely with them. This incident is not related to ransomware,” the notice said.
The company said it had revoked all security-related certificates and was working towards revoking the previous code signing certificate for its binaries and replacing it with a new one.
“Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end user devices,” the company said.
“As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere.”
Valuable cache of credentials quickly put up for sale
Researchers at Resecurity said they observed multiple threat actors selling access to compromised AnyDesk credentials on dark web hacking forums the day after the company’s announcement.
One threat actor was offering to sell more than 18,000 accounts and passwords for $15,000 in cryptocurrency, the researchers said in a Sunday post.
“Notably, the timestamps visible on the shared screenshots by the actor illustrate successful unauthorized access dated February 3, 2024 (post-incident disclosure),” the post said.
“It is possible that cybercriminals familiar with the incident are hurrying to monetize available customer credentials via the Dark Web, with the awareness that AnyDesk may take proactive measures to reset their credentials.”
The cache of stolen credentials would be extremely valuable to scammers, initial access brokers, and ransomware groups who were familiar with exploiting AnyDesk, the Resecurity researchers said.
“The end-users of AnyDesk include IT administrators, who are often targeted by threat actors. Thus, it is critical that AnyDesk ensures this cyberattack hasn’t impacted access to any other critical systems to which their IT admins may have privileged access.”
Why cybercrims love AnyDesk
AnyDesk can be used for remote control, file transfer, and VPN functionality. It is commonly used by IT support desks to service staff and customers computers remotely. According to AnyDesk’s website, the company has over 170,000 customers.
The tool is also popular with cybercriminals – from those engaged in tech support scams, through to hackers seeking persistent remote access to a target network, or looking for a way to blend malicious activity into regular network traffic.
According to AnyDesk’s website, common tech support scams involving the tool include threat actors pretending to be Microsoft technicians offering to clean malicious software off a victim’s device. Impersonators pretending to be AnyDesk support staff have also been known to claim they want to solve a bug in Windows. “In some cases even if you’re on a macOS device.”
Once an AnyDesk remote connection is secured, the scammers often drop malware on the victim’s machine or steal information such banking credentials.
Resecurity’s researchers said AnyDesk corporate customers should contact the company for more details on how the recent breach could potentially impact their organization. They should activate the tool’s whitelist feature to restrict who could connect to their devices, and turn on multi-factor authentication (MFA). Monitoring for unexpected password and MFA changes, suspicious sessions and external emails referencing AnyDesk account information was also recommended.