An incident occurred at AnyDesk (reported on February 2, 2024), which appears to have been first detected on January 24, 2024, as indicated by the revocation of a certificate.
While AnyDesk Software GmbH has not confirmed any compromise of their software package signing materials or any impact on end-user services, several security researchers have been actively investigating the potential use of AnyDesk’s key materials in malware signing.
Recommendations
- Review the software installed from AnyDesk Software GmbH, paying particular attention to the associated usage or audit trails of the service.
- Execute the YARA rules mentioned below.
- Follow the latest advice from AnyDesk Software GmbH, including updating their software to the newest version.
Vulnerable systems in Luxembourg
- There are users of the AnyDesk software in Luxembourg, but we are not aware of any exploitation or incidents related to this matter.
Detection and Incident Response
- YARA rules to detect Potential detection: AnyDesk certificate used, AnyDesk certificate used, but unrelated PE info and malicious AnyDesk .NET available at stairwell
- YARA rules to detect compromised signing certificate of AnyDesk signature-base/yara
References
- Compromised vendor AnyDesk Incident Response 2-2-2024
- Reporter Proactive response: AnyDesk, any breach
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 - TLP:CLEAR - First version - 5th February 2024