On February 2, 2024, the provider of remote desktop software, Anydesk, confirmed that they had fallen victim to a cyberattack – as reported by Golem.de and my own research. Apart from confirming the incident and issuing a brief warning, Anydesk did not disclose any details regarding the actual attack.
Three days later, the Federal Office for Information Security (BSI) issued a public security warning about the incident, which was also reported by Golem.de. However, according to this warning, the BSI did not assess the incident as critical.
The communication from Anydesk only mentioned the precautionary reset of passwords for the customer portal and stated that there were no indications of user data compromise. The BSI provided a general warning about potential further attacks due to possible leakage of source code and certificates, including the risk of Man-in-the-Middle or Supply Chain attacks.
There was no mention of a warning issued by the BSI to a selective group of users in critical infrastructure on January 29, 2024, classified as confidential (TLP AMBER-STRICT).
Anydesk released another report on February 5, 2024, advising customers to upgrade to client versions 7.0.15 and 8.0.8 for secure usage of the remote desktop software. While version 8.0.8 is available for Windows end-users, the custom client version 7.0.15 reportedly cannot be generated yet. It is expected to be available in one to two weeks, signed with a new certificate.
The document also refers to Anydesk’s FAQ, which provides specific answers to questions about the cyber incident. Anydesk denies the possibility of sessions being hijacked or malware being distributed through Anydesk servers.
For the first time, Anydesk mentioned that they conducted a security audit in mid-January 2024 following indications of compromise and found evidence of a hack. They claim to have thwarted the attack by executing an emergency plan. Overall, the manufacturer assures that they have the situation under control and have mitigated the consequences of the incident, stating that the remote desktop software can be safely used as long as clients are downloaded from the provider’s servers.
More from the French ANSSI Readers of my blog alerted me to a warning from the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), the French equivalent of the German BSI. In this ANSSI document dated February 5, 2024, the agency states that they were informed by the German BSI about a cyber incident at Anydesk on January 29, 2024.
The French agency not only mentions that all Anydesk clients (Linux, Windows, MacOS, Android, iOS, AppleTV, etc.) are affected but also recommends specific precautions as CERT-FR.
These precautions include identifying all Anydesk installations in companies, documenting them, and classifying them based on their sensitivity regarding machines, workstations, and servers. It is recommended to uninstall Anydesk solutions based on a risk assessment and consider alternative remote access solutions. I discussed the ANSSI suggestions on my blog, noting their advice to analyze systems with Anydesk installations for “oddities” dating back to December 20, 2023. This can only be interpreted as indicating suspicions of a hack at that time.