Comments from Yossi Rachman, Semperis, Senior Director of Research on the AnyDesk hack
February 2024 by Yossi Rachman, Director of Security Research, Semperis
AnyDesk has commented following its breach that session authentication tokens "cannot be stolen" That does not necessarily mean there’s no way to hijack AnyDesk sessions, and since the threat actors did gain access to both source code and production servers, they may come up with ways to hijack sessions – e.g. through vulnerabilities they might find in the source code or production servers. The comment below from Yossi Rachman, Semperis, Senior Director of Research on the AnyDesk hack:
There could be numerous reasons for this attack.
First, this might be part of an effort to gain access to AnyDesk’s customer environments – either to geopolitical actors like the UN - in case the attackers are operating on behalf of a foreign nation-state - or as part of a "for profit" attack by a threat actor trying to steal sensitive customer data.
Another option is a specifically targeted attack aimed at stealing AnyDesk’s source code to abuse it as part of a larger offensive effort which might be carried out later – much like the SolarWinds breach. This could also be a quick cash grab by the threat actors to take the compromised credentials and sell them to the highest bidders on the dark web. Speed would be the goal because as soon as their customers were notified about the breach, they would be changing their passwords.
Kudos to AnyDesk for their transparency and activating an immediate response and remediation plan after they learned of the incident. I am hopeful that the impact on customers will be minimal, but we just do not know today. There are some reports stating that some darkweb sources have customer credentials from up to 20,000 customers for sale, making it critical for AnyDesk’s customers to immediately do a reset.
While purely speculation, by breaching AnyDesk, the threat actors could not just gain unauthorized access to customers system, but also obtain access to significant sensitive data on AnyDesk customers, such as contact info, email addresses and login info, making that credential reset extremely important. Customers should immediately change their passwords and monitor use of AnyDesk in their systems to see if there are any unauthorized access attempts. AnyDesk customers should also be on the lookout for phishing emails about the AnyDesk breach, urging them to open malicious documents and links or download and install malicious software masquerading as AnyDesk "security updates" or "vulnerability scanners."