WafdogBlog http://192.168.11.11 Mon, 27 May 2024 10:16:38 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 http://192.168.11.11/wp-content/uploads/2023/11/logo_fav.png WafdogBlog http://192.168.11.11 32 32 Hacker Attack Disrupts Websites of Mecklenburg-Vorpommern Government and Police http://192.168.11.11/hacker-attack-disrupts-websites-of-mecklenburg-vorpommern-government-and-police/ Fri, 24 May 2024 12:11:25 +0000 http://192.168.11.11/?p=1265 Hacker Attack Disrupts Websites of Mecklenburg-Vorpommern Government and Police Read More »

]]>
On Thursday morning, the websites of the government, police, and intelligence services of Mecklenburg-Vorpommern, a german federal state were partially disrupted. According to a statement from the government in Schwerin, the affected sites have been only partially accessible since then.

State Digitalization Minister Christian Pegel (SPD) stated that the attacks closely resemble similar incidents from April and November of last year. “The initial analyses quickly showed that these are again so-called DDoS attacks, where the servers are overwhelmed by massive requests,” Pegel said. According to the Ministry of the Interior, a Russian group claimed responsibility for the incident last year.

The affected websites are provided and maintained by the Data Processing Center (DVZ) Mecklenburg-Vorpommern, the state’s IT service provider. The specialist pages of individual departments are particularly affected. The minister assured that experts are working hard to contain further waves of attacks. However, further attacks and possibly additional disruptions are to be expected in the short term.

Last November, websites of the state police were particularly targeted. Prior to that, in April 2023, cyberattacks had occurred in several federal states, including Mecklenburg-Vorpommern.

]]>
What is a Webapplication Firewall?What is a Web Application Firewall (WAF) and Why Do You Need One?What is a Webapplication Firewall? http://192.168.11.11/what-is-a-webapplication-firewallwhat-is-a-web-application-firewall-waf-and-why-do-you-need-onewhat-is-a-webapplication-firewall/ Tue, 14 May 2024 13:19:36 +0000 http://192.168.11.11/?p=1258 What is a Webapplication Firewall?What is a Web Application Firewall (WAF) and Why Do You Need One?What is a Webapplication Firewall? Read More »

]]>
In today’s digital age, the security of web applications is a paramount concern for businesses and organizations. Cyberattacks are becoming increasingly sophisticated, making it essential to employ robust security measures. One such measure is a Web Application Firewall (WAF). But what is a WAF, and why is it so important? This article will delve into the basics of WAF, its significance in cybersecurity, and how it protects web applications.

What is a WAF?

A Web Application Firewall (WAF) is a security solution designed to protect web applications by monitoring and filtering HTTP/HTTPS traffic between a web application and the Internet. Unlike traditional firewalls that create a barrier between servers, WAFs are specifically designed to protect web applications from various cyber threats. They do this by inspecting incoming and outgoing traffic and blocking malicious requests based on predefined rules.

How Does a WAF Work?

A WAF operates by placing itself between the web application and the end user. It acts as a shield, analyzing each request and response to detect and block malicious activity. The core functionality of a WAF includes:

  1. Traffic Monitoring and Filtering: A WAF continuously monitors web traffic for suspicious patterns. It filters out malicious requests before they reach the web application, ensuring only legitimate traffic is allowed through.
  2. Rule-Based Protection: WAFs use a set of predefined rules to identify and block threats. These rules are based on known attack signatures and patterns, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
  3. Customizable Security Policies: Administrators can customize WAF policies to suit the specific needs of their web applications. This flexibility allows for more precise protection tailored to the unique threat landscape of each application.
  4. Real-Time Threat Intelligence: Many modern WAFs leverage real-time threat intelligence to stay updated on the latest attack vectors. This ensures that the WAF can quickly adapt to emerging threats and provide continuous protection.

The Importance of WAF in Cybersecurity

The importance of a Web Application Firewall in cybersecurity cannot be overstated. Here’s why WAFs are essential:

  1. Protection Against Common Attacks: Web applications are prime targets for attackers using techniques like SQL injection, XSS, and CSRF. A WAF provides a robust defense against these common attack vectors, safeguarding sensitive data and maintaining application integrity.
  2. Compliance Requirements: Many regulatory frameworks and industry standards, such as PCI-DSS and GDPR, require organizations to implement security measures to protect web applications. Deploying a WAF helps meet these compliance requirements and avoid hefty fines.
  3. Enhanced Visibility and Monitoring: A WAF provides detailed insights into web traffic, allowing administrators to identify potential threats and vulnerabilities. This enhanced visibility is crucial for proactive threat management and incident response.
  4. Cost-Effective Security Solution: Compared to dealing with the aftermath of a cyberattack, implementing a WAF is a cost-effective way to secure web applications. It helps prevent data breaches, which can result in significant financial losses and damage to an organization’s reputation.

How WAF Protects Web Applications

A WAF offers comprehensive protection for web applications through various mechanisms:

  1. Blocking Malicious Traffic: By filtering out malicious requests, a WAF prevents attackers from exploiting vulnerabilities in the web application. This reduces the risk of data breaches and unauthorized access.
  2. Rate Limiting and DDoS Protection: WAFs can detect and mitigate Distributed Denial of Service (DDoS) attacks by rate limiting requests. This ensures that legitimate users can access the application even during an attack.
  3. Preventing Data Leakage: WAFs monitor outgoing traffic for sensitive information, such as credit card numbers or personal data. They can block or mask this data to prevent it from being exposed to unauthorized parties.
  4. Virtual Patching: When vulnerabilities are discovered in a web application, it can take time to deploy patches. A WAF can provide virtual patching by blocking exploit attempts, buying time for developers to implement permanent fixes.

Conclusion

In conclusion, a Web Application Firewall (WAF) is a critical component of modern cybersecurity strategies. It provides robust protection against a wide range of web-based attacks, ensuring the security and integrity of web applications. By monitoring and filtering traffic, a WAF not only protects sensitive data but also helps organizations meet compliance requirements and enhance overall security posture. Investing in a WAF is a proactive step toward safeguarding your web applications and maintaining the trust of your users.

Understanding what a WAF is and recognizing its importance in cybersecurity is essential for any organization looking to protect its digital assets. With the ever-evolving threat landscape, deploying a WAF is not just an option but a necessity.

]]>
Vulnerability Exposed: Raspberry Pi Pico Used to Bypass Bitlocker Encryption http://192.168.11.11/vulnerability-exposed-raspberry-pi-pico-used-to-bypass-bitlocker-encryption/ Tue, 12 Mar 2024 16:04:15 +0000 http://192.168.11.11/?p=1229 Vulnerability Exposed: Raspberry Pi Pico Used to Bypass Bitlocker Encryption Read More »

]]>

A hobbyist has successfully extracted the Bitlocker decryption key of a notebook by using a Raspberry Pi Pico, which is available for less than 10 euros in this country. This allowed him to access the encrypted contents of an SSD protected with Bitlocker. The trick was to intercept the communication between the TPM chip soldered onto the notebook’s motherboard and the CPU.

Bitlocker is a software for encrypting data drives, which comes pre-installed on modern Windows systems such as Windows 10, 11, as well as Windows Server 2016, 2019, and 2022. Microsoft claims in the Bitlocker documentation that the application, when used with a Trusted Platform Module (TPM), provides “maximum protection”.

The validity of this statement was tested in a video released on Saturday on the YouTube channel Stacksmashing. At least on systems with external TPM chips, the protection seems to be bypassed within a very short time using an inexpensive single-board computer.

A TPM is designed, among other things, to securely store cryptographic keys like the one from Bitlocker and to transfer them to the CPU when needed, allowing the user to access their encrypted data. The key transfer occurs via an LPC bus (Low Pin Count).

The YouTuber identified the contacts of the TPM chip on the motherboard of his notebook, through which he could intercept the data transfer with a Raspberry Pi Pico. It took only 43 seconds to read the Bitlocker key, including the time to open the notebook case.

Subsequently, he was able to access the data on the Bitlocker-protected SSD using a Linux system – both reading and writing – using the key.

It is important to note that this attack is only possible with external TPM chips. Modern CPUs, both from Intel and AMD, typically have integrated TPMs, which means that the key transfer occurs within the CPU and cannot be easily intercepted via contacts on the motherboard.

Security researchers had already pointed out the possibility of such attacks on systems with external TPM chips in the summer of 2021. This is due to the unencrypted transmission of the encryption key, allowing the key to be intercepted via the TPM contacts.

]]>
Critical Security Alert: JetBrains TeamCity On-Premises Vulnerability (CVE-2024-23917) http://192.168.11.11/critical-security-alert-jetbrains-teamcity-on-premises-vulnerability-cve-2024-23917/ Tue, 12 Mar 2024 16:02:47 +0000 http://192.168.11.11/?p=1227 Critical Security Alert: JetBrains TeamCity On-Premises Vulnerability (CVE-2024-23917) Read More »

]]>

JetBrains has issued a warning to its customers regarding a critical security vulnerability found in its TeamCity On-Premises software, used for continuous integration and continuous deployment (CI/CD). This flaw, identified as CVE-2024-23917 and rated 9.8 out of 10 in severity according to the Common Vulnerability Scoring System (CVSS), poses a significant risk.

According to JetBrains, the vulnerability could allow threat actors to exploit susceptible instances of TeamCity On-Premises, potentially granting them administrative control. This affects all versions from 2017.1 through 2023.11.2. However, version 2023.11.3 addresses this issue.

The discovery of the flaw is credited to an external security researcher on January 19, 2024. JetBrains advises users to update their servers to version 2023.11.3 or apply a security patch plugin if immediate updating is not feasible. For servers accessible over the internet, JetBrains recommends making them temporarily inaccessible until mitigation measures are in place.

While there’s no evidence of exploitation yet, it’s worth noting that a similar vulnerability (CVE-2023-42793, with a CVSS score of 9.8) in the same product was actively exploited by threat actors shortly after its public disclosure last year, including ransomware groups and state-sponsored entities associated with North Korea and Russia.

]]>
Alert: Ivanti Discovers Critical Security Flaw in Connect Secure, Policy Secure, and ZTA Gateways http://192.168.11.11/alert-ivanti-discovers-critical-security-flaw-in-connect-secure-policy-secure-and-zta-gateways/ Tue, 12 Mar 2024 16:01:42 +0000 http://192.168.11.11/?p=1225 Alert: Ivanti Discovers Critical Security Flaw in Connect Secure, Policy Secure, and ZTA Gateways Read More »

]]>
Ivanti has issued a warning to its customers regarding a significant security vulnerability present in its Connect Secure, Policy Secure, and ZTA gateway devices. This flaw, identified as CVE-2024-22024 and rated 8.3 out of 10 on the CVSS scoring system, enables attackers to circumvent authentication protocols.

According to Ivanti, the vulnerability stems from an XML external entity or XXE flaw within the SAML component of Ivanti Connect Secure (versions 9.x, 22.x), Ivanti Policy Secure (versions 9.x, 22.x), and ZTA gateways. Exploitation of this vulnerability grants unauthorized access to restricted resources.

The company uncovered this issue during an internal review as part of its continuous investigation into various security weaknesses discovered since the beginning of the year. Notable vulnerabilities include CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.

Affected versions of the products are as follows:

  • Ivanti Connect Secure: 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1
  • Ivanti Policy Secure: 22.5R1.1
  • ZTA: 22.6R1.3

To address CVE-2024-22024, patches have been released for:

  • Connect Secure versions: 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2
  • Policy Secure versions: 9.1R17.3, 9.1R18.4, and 22.5R1.2
  • ZTA versions: 22.5R1.6, 22.6R1.5, and 22.6R1.7

While Ivanti has not observed any active exploitation of the vulnerability, given the widespread abuse of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, prompt application of the latest fixes is strongly recommended.

]]>
Fortinet Discloses Critical Security Flaw in FortiOS SSL VPN: Exploitation in the Wild Confirmed http://192.168.11.11/fortinet-discloses-critical-security-flaw-in-fortios-ssl-vpn-exploitation-in-the-wild-confirmed/ Tue, 12 Mar 2024 16:00:31 +0000 http://192.168.11.11/?p=1223 Fortinet Discloses Critical Security Flaw in FortiOS SSL VPN: Exploitation in the Wild Confirmed Read More »

]]>

Fortinet has revealed a critical security vulnerability in FortiOS SSL VPN, indicating it’s likely being actively exploited. Identified as CVE-2024-21762 with a severity score of 9.6, this flaw permits the execution of arbitrary code and commands.

According to Fortinet’s bulletin released on Thursday, the vulnerability, categorized under CWE-787, involves an out-of-bounds write vulnerability in FortiOS, enabling remote unauthenticated attackers to execute arbitrary code or commands through specifically crafted HTTP requests. The company acknowledges the potential exploitation of this issue in the wild, although specific details regarding the exploitation methods or perpetrators remain undisclosed.

The affected versions include FortiOS 7.4 (from 7.4.0 to 7.4.2), FortiOS 7.2 (from 7.2.0 to 7.2.6), FortiOS 7.0 (from 7.0.0 to 7.0.13), FortiOS 6.4 (from 6.4.0 to 6.4.14), FortiOS 6.2 (from 6.2.0 to 6.2.15), and all versions of FortiOS 6.0, except FortiOS 7.6, which remains unaffected.

This disclosure aligns with Fortinet’s recent issuance of patches for CVE-2024-23108 and CVE-2024-23109, affecting FortiSIEM supervisor, where remote unauthenticated attackers could execute unauthorized commands via manipulated API requests.

Moreover, reports from the Netherlands government earlier this week unveiled a breach in their armed forces’ computer network by Chinese state-sponsored actors, exploiting known vulnerabilities in Fortinet FortiGate devices to implant a backdoor named COATHANGER.

Fortinet’s report this week also highlights the exploitation of N-day vulnerabilities, such as CVE-2022-42475 and CVE-2023-27997, by various threat actors targeting governments, service providers, consultancies, manufacturing, and critical infrastructure entities.

Previous instances have linked Chinese threat actors to zero-day exploitation in Fortinet appliances, deploying various implants like BOLDMOVE, THINCRUST, and CASTLETAP. The advisory from the U.S. government concerning a Chinese nation-state group named Volt Typhoon emphasizes the exploitation of known and zero-day vulnerabilities in networking appliances, including those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco.

Despite China’s denial of allegations, accusations against the U.S. for conducting cyber attacks persist. These incidents underscore the significant threat posed by internet-facing edge devices, especially due to the absence of endpoint detection and response (EDR) support, making them vulnerable to abuse.

Fortinet states that these attacks typify the use of previously patched N-day vulnerabilities and subsequent living-off-the-land techniques, reminiscent of the tactics employed by the cyber actor or group known as Volt Typhoon, targeting critical infrastructure and potentially other associated entities.

Confirming the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to its Known Exploited Vulnerabilities (KEV) catalog on February 9, 2024. Federal Civilian Executive Branch (FCEB) agencies have been directed to apply the necessary fixes by February 16, 2024, to safeguard their networks against potential threats.

]]>
Critical Vulnerability in Linux EFI Application Shim Allows Remote Code Execution http://192.168.11.11/critical-vulnerability-in-linux-efi-application-shim-allows-remote-code-execution/ Tue, 12 Mar 2024 15:59:11 +0000 http://192.168.11.11/?p=1221 Critical Vulnerability in Linux EFI Application Shim Allows Remote Code Execution Read More »

]]>
In an EFI application named Shim, which is used by most common Linux distributions, a critical vulnerability has been discovered. This vulnerability allows attackers to inject malicious code and gain full control over the targeted system. The flaw, identified as CVE-2023-40547, can be exploited through a specially crafted HTTP request that leads to a controlled out-of-bounds write operation, as described.

Security researchers from Eclypsium emphasize that Shim is critical software in the boot process, utilized by most Linux distributions to support Secure Boot. While Red Hat maintains this application, it is deployed in all distributions supporting Secure Boot, including Debian, Ubuntu, Suse, and others.

The severity of CVE-2023-40547 has been rated as high by Red Hat and as critical by NIST. According to the Eclypsium researchers, the vulnerability can be exploited both locally and remotely. Remote attacks could occur, for example, through a man-in-the-middle attack on the traffic for providing files to support HTTP boot. Local exploitation is also possible, such as by using a bootable USB stick with a Linux live system, allowing the alteration of the boot order to selectively load an attacker’s Shim application, enabling privileged code execution without disabling Secure Boot.

The researchers caution that an attacker exploiting this vulnerability gains control over the system even before the kernel is loaded. This means the attacker has privileged access and can bypass all security checks implemented by the kernel and operating system. This facilitates the installation of bootkits, a type of malware executed before the operating system starts, typically granting extensive access rights.

Although a patch for CVE-2023-40547 is already available, and the issue has been addressed in Shim version 15.8, the researchers stress that the patch alone is insufficient. Additionally, an update of the Chain of Trust for Secure Boot is required. This entails updating the UEFI Secure Boot DBX (blacklist) to include the hashes of the vulnerable Shim software, as explained in the Eclypsium report.

The order of operations is crucial. Users must first update Shim and then apply the DBX update. The latter can be performed, for instance, using the fwupd tool by employing the “fwupdmgr update” command.

]]>
Snyk Security Labs Discovers Critical Container Vulnerabilities: Urgent Patching Recommended http://192.168.11.11/snyk-security-labs-discovers-critical-container-vulnerabilities-urgent-patching-recommended/ Tue, 12 Mar 2024 15:57:37 +0000 http://192.168.11.11/?p=1219 Snyk Security Labs Discovers Critical Container Vulnerabilities: Urgent Patching Recommended Read More »

]]>
A security researcher from Snyk Security Labs has identified a series of vulnerabilities that allow attackers to escape from a container environment and access the underlying host system. It is said in a blog post by Snyk that this could potentially grant access to sensitive data such as login or customer information, as well as enable the execution of further attacks.

The vulnerabilities, grouped under the name Leaky Vessels, were apparently discovered as early as November 2023. One of the vulnerabilities (CVE-2024-21626) relates to the CLI tool runc (up to version 1.1.11), which is used to create and execute containers in Linux. The severity is rated as high with a CVSS score of 8.6.

The other three vulnerabilities (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653) are attributed to the toolkit Buildkit (up to version 0.12.4), used for example by the widely-used container virtualization solution Docker. These vulnerabilities range in CVSS scores from 8.7 up to the maximum severity of 10, indicating a high to critical severity level.

Patches have since been made available, with the vulnerabilities being addressed on January 31, 2024, with runc version 1.1.12 and Buildkit version 0.12.5. Relevant information regarding these patches can also be found with Docker, AWS, Ubuntu, and Google Cloud. Snyk strongly recommends users to diligently seek out updates for their container solutions and apply them as soon as possible.

“It is likely that you will need to update your Docker daemons and Kubernetes deployments, as well as any container build tools you use in CI/CD pipelines, on build servers, and on your developers’ workstations,” the company stated. Additionally, it’s crucial to inspect existing containers for potential compromise.

Tools for detecting misuse Snyk has provided two tools via Github intended to assist administrators in detection, emphasizing, however, that these tools do not rectify the vulnerabilities or prevent their exploitation. One of these tools is called the Leaky Vessels Dynamic Detector, which aims to detect exploitation attempts at runtime by searching for characteristic patterns associated with the vulnerabilities.

The second tool is named the Leaky Vessels Static Detector. “It scans Docker files and image layers to identify commands that appear to be attempting to exploit the vulnerabilities,” Snyk stated. However, it’s important to manually verify the findings afterward. Both tools are likely to produce some false negatives and false positives.

]]>
Vulnerability in Airbus Navblue’s Flysmart+ App Suite Exposes Aircraft Performance Risks http://192.168.11.11/vulnerability-in-airbus-navblues-flysmart-app-suite-exposes-aircraft-performance-risks/ Tue, 12 Mar 2024 15:56:13 +0000 http://192.168.11.11/?p=1217 Vulnerability in Airbus Navblue’s Flysmart+ App Suite Exposes Aircraft Performance Risks Read More »

]]>
Security researchers have discovered a weakness in a suite of apps developed by Navblue, a subsidiary of Airbus, known as Flysmart+. This suite serves as a software solution for Electronic Flight Bags (EFBs), used in tasks such as performance calculations for aircraft takeoffs. The researchers found that in one of the associated iOS apps, both the App Transport Security (ATS) feature and any form of certificate validation were turned off.

This could enable an attacker to tamper with calculations for engine performance, potentially leading to issues like tail strikes and unintended runway departures during aircraft takeoff, as explained by Antonio Cassidy from Pen Test Partners in a blog post.

Manipulating performance data via MitM attack ATS is a security measure that compels apps to use HTTPS, thus preventing unencrypted communication. However, this safeguard was found to be inactive in the examined Flysmart+ app, allowing a potential attacker to intercept, modify, and transmit sensitive data in encrypted form to the legitimate server – a classic Man-in-the-Middle (MitM) attack.

The researchers managed to access data downloaded from Navblue servers, including SQLite databases containing sensitive information about specific aircraft. Cassidy explained, “Many of these database tables are crucial for aircraft performance, weight, and balance.”

Attack via hotel Wi-Fi Nevertheless, the opportunities to exploit the vulnerability effectively seem limited. It appears necessary for an attacker to intercept synchronization with the Aeronautical Information Regulation and Control (Airac) database, which updates occur only approximately once a month.

However, Cassidy cautioned that it is relatively simple to identify pilots in hotels and their corresponding airlines – “and consequently the EFB apps they are likely using.” Since pilots from the same airline are often lodged in the same hotels, an attack could be carried out via the Wi-Fi networks of these accommodations to deliberately manipulate aircraft performance data.

Nevertheless, the vulnerability has since been addressed, nineteen months after the researchers reported it to Airbus. While this timeframe is extensive, according to a report by The Register, such delays are not unusual in the aviation industry due to the certification procedures commonly practiced there.

]]>
Cybersecurity Alert: Anydesk Cyberattack Revealed and Analyzed http://192.168.11.11/cybersecurity-alert-anydesk-cyberattack-revealed-and-analyzed/ Tue, 12 Mar 2024 15:54:27 +0000 http://192.168.11.11/?p=1215 Cybersecurity Alert: Anydesk Cyberattack Revealed and Analyzed Read More »

]]>
On February 2, 2024, the provider of remote desktop software, Anydesk, confirmed that they had fallen victim to a cyberattack – as reported by Golem.de and my own research. Apart from confirming the incident and issuing a brief warning, Anydesk did not disclose any details regarding the actual attack.

Three days later, the Federal Office for Information Security (BSI) issued a public security warning about the incident, which was also reported by Golem.de. However, according to this warning, the BSI did not assess the incident as critical.

The communication from Anydesk only mentioned the precautionary reset of passwords for the customer portal and stated that there were no indications of user data compromise. The BSI provided a general warning about potential further attacks due to possible leakage of source code and certificates, including the risk of Man-in-the-Middle or Supply Chain attacks.

There was no mention of a warning issued by the BSI to a selective group of users in critical infrastructure on January 29, 2024, classified as confidential (TLP AMBER-STRICT).

Anydesk released another report on February 5, 2024, advising customers to upgrade to client versions 7.0.15 and 8.0.8 for secure usage of the remote desktop software. While version 8.0.8 is available for Windows end-users, the custom client version 7.0.15 reportedly cannot be generated yet. It is expected to be available in one to two weeks, signed with a new certificate.

The document also refers to Anydesk’s FAQ, which provides specific answers to questions about the cyber incident. Anydesk denies the possibility of sessions being hijacked or malware being distributed through Anydesk servers.

For the first time, Anydesk mentioned that they conducted a security audit in mid-January 2024 following indications of compromise and found evidence of a hack. They claim to have thwarted the attack by executing an emergency plan. Overall, the manufacturer assures that they have the situation under control and have mitigated the consequences of the incident, stating that the remote desktop software can be safely used as long as clients are downloaded from the provider’s servers.

More from the French ANSSI Readers of my blog alerted me to a warning from the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), the French equivalent of the German BSI. In this ANSSI document dated February 5, 2024, the agency states that they were informed by the German BSI about a cyber incident at Anydesk on January 29, 2024.

The French agency not only mentions that all Anydesk clients (Linux, Windows, MacOS, Android, iOS, AppleTV, etc.) are affected but also recommends specific precautions as CERT-FR.

These precautions include identifying all Anydesk installations in companies, documenting them, and classifying them based on their sensitivity regarding machines, workstations, and servers. It is recommended to uninstall Anydesk solutions based on a risk assessment and consider alternative remote access solutions. I discussed the ANSSI suggestions on my blog, noting their advice to analyze systems with Anydesk installations for “oddities” dating back to December 20, 2023. This can only be interpreted as indicating suspicions of a hack at that time.

]]>