Remote desktop software maker AnyDesk disclosed on Friday that it suffered a cyber attack that led to a compromise of its production systems.
The German company said the incident, which it discovered following a security audit, is not a ransomware attack and that it has notified relevant authorities.
"We have revoked all security-related certificates and systems have been remediated or replaced where necessary," the company said in a statement. "We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one."
Out of an abundance of caution, AnyDesk has also revoked all passwords to its web portal, my.anydesk[.]com, and it's urging users to change their passwords if the same passwords have been reused on other online services.
It's also recommending that users download the latest version of the software, which comes with a new code signing certificate.
AnyDesk did not disclose when and how its production systems were breached. It's currently not known if any information was stolen following the hack. However, it emphasized there is no evidence that any end-user systems have been affected.
Earlier this week, Günter Born of BornCity disclosed that AnyDesk had been under maintenance since January 29. The issue was addressed on February 1. Previously, on January 24, the company also alerted users of "intermittent timeouts" and "service degradation" with its Customer Portal.
AnyDesk boasts over 170,000 customers, including Amedes, AutoForm Engineering, LG Electronics, Samsung Electronics, Spidercam, and Thales.
The disclosure comes a day after Cloudflare said it was breached by a suspected nation-state attacker using stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.
Update
Cybersecurity firm Resecurity said it found two threat actors, one of whom goes by the online alias "Jobaaaaa," advertising a "significant number of AnyDesk customer credentials for sale at Exploit[.]in," noting it could be used for "technical support scams and mailing (phishing)."
The threat actor has been found offering 18,317 accounts for $15,000 in cryptocurrency, in addition to agreeing to a deal via escrow on the cybercrime forum.
"Notably, the timestamps visible on the shared screenshots by the actor illustrate successful unauthorized access dated February 3, 2024 (post-incident disclosure)," the company said. "It is possible that not all customers have changed their access credentials, or this mechanism was still ongoing by the affected parties."
It's not clear how the credentials were obtained, but Resecurity said cybercriminals could be rushing to monetize available customer credentials in light of the fact that the passwords could be reset.
AnyDesk Says Software "Safe to Use" After Cyber Attack
When reached for comment, AnyDesk directed The Hacker News to its new public statement, saying all versions of its tool obtained from "official sources" remain safe to use. It also recommended that customers download the latest versions 7.0.15 and 8.0.8.
The incident, according to a separate FAQ posted by the company, is said to have occurred in mid-January 2024, prompting it to conduct a security audit that ultimately found evidence of compromised production systems.
It further emphasized it has neither observed any malicious modifications to its source code nor seen evidence of malicious code being distributed to customers through any AnyDesk systems.
AnyDesk also highlighted that reports of user credentials being sold on the dark web are not directly connected to the incident. "Rather, they appear to be old information obtained from end-user devices infected with malware, e.g., information stealers," the company said.
