UPDATE: AnyDesk has released additional information following the events of their recent cyberattack, validating that the source code of their agent was not tampered with and confirming that all AnyDesk versions obtained from official channels are safe to utilize.
Given these developments, the severity of the incident has been reduced. However, customers are encouraged to follow AnyDesks’s recommendations to upgrade to the latest version of their software (version 8.0.8 and 7.0.15).
Any customers who leveraged the query provided previously should consider adjusting it for use in monitoring outdated versions for upgrading.
SentinelOne will continue to monitor the situation and will provide additional information if it becomes available.
Feb 2nd, 2024
AnyDesk, a remote desktop software, has recently released confirmation of a cyberattack in which hackers were able to access the company’s production environment. Anydesk stated that no authentication tokens were stolen during the attack, as these tokens only exist on the end user’s device and are associated with the device’s fingerprint. However, out of caution, the company has revoked all passwords to their web portal and recommends users change their passwords, especially if they are used on other sites. Further, AnyDesk will be revoking all previous code signing certificates.
It is strongly recommended that all users install the latest version of the software (version 8.0.8 for Windows, other binaries are still using the old certificate), as the old code signing certificate will soon be revoked. Furthermore, despite AnyDesk’s assurance that passwords were not stolen in the attack, it is strongly advised that all AnyDesk users change their passwords, especially if they use their AnyDesk password at other sites.
The following query can be used to identify executables in your environment that have been signed with the older, to-be revoked certificate (including prior versions of the Anydesk client):
((src.process.publisher in:anycase ('PHILANDRO SOFTWARE GMBH'))
OR (tgt.process.publisher in:anycase ('PHILANDRO SOFTWARE GMBH')))
We will continue to provide more context and insight as the situation unfolds so that we can provide you more exact guidance to help mitigate risk in your environment.
SentinelOne Vigilance Team