AnyDesk, a remote desktop software, has recently released confirmation of a cyberattack in which hackers were able to access the company’s production environment.  Anydesk stated that no authentication tokens were stolen during the attack, as these tokens only exist on the end user’s device and are associated with the device’s fingerprint. However, out of caution, the company has revoked all passwords to their web portal and recommends users change their passwords, especially if they are used on other sites. Further, AnyDesk will be revoking all previous code signing certificates.

It is strongly recommended that all users install the latest version  of the software (version 8.0.8 for Windows, other binaries are still using the old certificate), as the old code signing certificate will soon be revoked. Furthermore, despite AnyDesk’s assurance that passwords were not stolen in the attack, it is strongly advised that all AnyDesk users change their passwords, especially if they use their AnyDesk password at other sites.

The following query can be used to identify executables in your environment that have been signed with the older, to-be revoked certificate (including prior versions of the Anydesk client):

((src.process.publisher in:anycase ('PHILANDRO SOFTWARE GMBH')) OR (tgt.process.publisher in:anycase ('PHILANDRO SOFTWARE GMBH')))

We will continue to provide more context and insight as the situation unfolds so that we can provide you more exact guidance to help mitigate risk in your environment.

SentinelOne Vigilance Team