On February 3, 2024, AnyDesk disclosed that they were the victim of a cyberattack which compromised their production systems.
Following a public statement published by the company regarding indications of an incident on some of AnyDesk's systems, the company mentioned that they have revoked all the passwords of their user web portal and also recommends all customers change the passwords if the same credentials were used elsewhere.
New details have emerged indicating that customer credentials were among the data stolen, with tens of thousands of usernames and passwords being offered for sale on dark web forums.
According to cybersecurity firm Resecurity, threat actors using the aliases "Jobaaaaa" and others have been peddling large caches of AnyDesk credentials on dark web sites like Exploit[.]in. Resecurity analysts were able to make contact with one of the actors, who claimed the credentials could be used for "technical support scams and mailing (phishing)."
The samples provided by the actors were related to compromised access credentials belonging to various consumers and enterprises, allowing access to the AnyDesk customer portal. A total of 18,317 compromised AnyDesk accounts, offered for sale at $15,000 in cryptocurrency.
AnyDesk customer credentials for sale |
The threat actor did not provide details on how the credentials were obtained, but possibilities include phishing campaigns, malware like info-stealers, or direct network intrusion of AnyDesk's systems.
Access to AnyDesk accounts provides cybercriminals with information like license keys, session details, customer IDs and contact info. This data enables more targeted attacks through email phishing campaigns impersonating AnyDesk or IT providers. Fraudsters can also directly abuse credentials to gain remote access to devices.
The sale of AnyDesk logins on dark web forums highlights the urgency of users changing passwords if they haven't already. AnyDesk recommended password resets in their incident disclosure. However, Resecurity observed credentials for sale dated Feb. 3rd, after this announcement. This indicates some users have likely not taken action yet.
In recent tweets, Resecurity mentioned-
"It is possible that not all customers have changed their access credentials, or this mechanism was still ongoing by the affected parties. Without a doubt, the complexity of handling proper remediation is significant in the case of a large customer base, and such procedures may not be instantly executed, requiring proper planning. This exact aspect could be leveraged by the bad actors."
It is possible that not all customers have changed their access credentials, or this mechanism was still ongoing by the affected parties. Without a doubt, the complexity of handling proper remediation is significant in the case of a large customer base, and such procedures may…
— Resecurity® (@RESecurity) February 4, 2024
MFA (multi-factor authentication) is critical for reducing account compromise risk. Resecurity noted most exposed accounts did not have MFA enabled. AnyDesk does provide MFA options that users should immediately set up.
This incident comes on the heels of cyberattacks on Cloudflare, Microsoft and others seemingly by nation-state hackers. While the AnyDesk breach appears financially motivated so far, Resecurity warns some state-sponsored groups to use criminal personas as cover.