Remote desktop software maker AnyDesk disclosed on Friday that it suffered a cyber attack that led to a compromise of its production systems.
The German company said the incident, which it discovered following a security audit, is not a ransomware attack and that it has notified relevant authorities.
“We have revoked all security-related certificates and systems have been remediated or replaced where necessary,” the company said in a statement. “We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”
Out of an abundance of caution, AnyDesk has also revoked all passwords to its web portal, my.anydesk[.]com, and it’s urging users to change their passwords if the same passwords have been reused on other online services.
It’s also recommending that users download the latest version of the software, which comes with a new code signing certificate.
AnyDesk did not disclose when and how its production systems were breached. It’s currently not known if any information was stolen following the hack. However, it emphasized there is no evidence that any end-user systems have been affected.
Earlier this week, Günter Born of BornCity disclosed that AnyDesk had been under maintenance since January 29. The issue was addressed on February 1. Previously, on January 24, the company also alerted users of “intermittent timeouts” and “service degradation” with its Customer Portal.
AnyDesk boasts over 170,000 customers, including Amedes, AutoForm Engineering, LG Electronics, Samsung Electronics, Spidercam, and Thales.
The disclosure comes a day after Cloudflare said it was breached by a suspected nation-state attacker using stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.
Update
Cybersecurity firm Resecurity said it found two threat actors, one of whom goes by the online alias “Jobaaaaa,” advertising a “significant number of AnyDesk customer credentials for sale at Exploit[.]in,” noting it could be used for “technical support scams and mailing (phishing).”
The threat actor has been found offering 18,317 accounts for $15,000 in cryptocurrency.
“Notably, the timestamps visible on the shared screenshots by the actor illustrate successful unauthorized access dated February 3, 2024 (post-incident disclosure),” the company said. “It is possible that not all customers have changed their access credentials, or this mechanism was still ongoing by the affected parties.”
It’s not clear how the credentials were obtained, but Resecurity said cybercriminals could be rushing to monetize available customer credentials in light of the fact that the passwords could be reset.
The Hacker News has reached out to AnyDesk for further comment, and we will update the story if we hear back.