Remote desktop software provider AnyDesk acknowledged late Friday that a cyberattack gave hackers access to its production systems, putting the company on lockdown for nearly a week.
AnyDesk's software is used by millions of IT professionals to quickly and remotely connect to client devices, often to resolve technical issues. AnyDesk claims on his website that he has over 170,000 customers, including Comcast, LG, Samsung, and Thales.
The software is also a popular tool among threat actors and ransomware gangs, who have long used it to gain and maintain access to victims' computers and data. In January, the US cybersecurity agency CISA announced that hackers used legitimate remote desktop software such as AnyDesk to infiltrate federal agencies.
News of the alleged breach began spreading last Monday when AnyDesk announced that it had replaced the code-signing certificates that companies use to prevent hackers from tampering with their code. After a multi-day outage, AnyDesk acknowledged in a statement late Friday that the company had “discovered evidence that our production systems have been compromised.”
AnyDesk said that as part of its incident response, the company has revoked all security-related certificates, repaired or replaced systems as necessary, and disabled all passwords to AnyDesk's customer web portal.
“We will soon be revoking the previous code signing certificate for our binaries and have already begun replacing them with new certificates,” the company added on Friday.
AnyDesk said the incident was not ransomware-related, but did not disclose the specific nature of the cyberattack.
AnyDesk spokesperson Matthew Caldwell did not respond to an email from TechCrunch. CrowdStrike, which is working with AnyDesk to remediate the cyberattack, declined to answer TechCrunch's questions as of Monday.
AnyDesk did not respond to questions asking whether customer data was accessed, but the company said in a statement that there is “no evidence that end-user systems were affected.”
“We can confirm that the situation is under control and that AnyDesk is safe to use,” AnyDesk said. “Please make sure you are using the latest version with a new code signing certificate.”
AnyDesk has already faced criticism for its response to previous cyberattacks. As first reported by German blogger Günter Born, AnyDesk initially claimed The four-day disruption that began on January 29 was a “maintenance” in which the company blocked users' ability to log in. Jake Williams, a veteran incident responder, called out AnyDesk. Post to X The company said it carried out a “public relations campaign” by disclosing the cyberattack to customers just before the weekend.
Security researchers say the hackers are selling access to AnyDesk accounts allegedly affected by the breach on known cybercrime forums, but details of the stolen accounts are not available on users' computers. They also point out that it is likely the result of a previous malware infection involving malware that steals the above passwords.
Do you have any further information about this incident? Carly Page can be reached securely via Signal (+441536 853968) or email. You can also contact TechCrunch via SecureDrop.