Is AnyDesk Compromise? What's Going on?

There is some noise rising up on X (formerly Twitter) about AnyDesk, one of the most popular remote desktop applications. And this noise is not pointing towards a positive sign. 

All the things started on Jan 30, 2024, when users of AnyDesk started reporting issues. On Jan 31, 2024, after the user's report, AnyDesk came up with the maintenance tweets. This was unexpected maintenance downtime for 48 hours and is quite a long maintenance period.

Update - my.anydesk I and II are currently undergoing maintenance. You can still use the AnyDesk client normally. However, logging in to the client will only be possible once the maintenance is complete.
We apologize for any inconvenience caused by this issue.

We appreciate…

— AnyDesk Software (@anydesk) January 30, 2024

Some pictures became clear when Anydesk pushed the update with version 8.0.8 for the Windows platform. The official change log page of the AnyDesk client shows latest update is the security update (for Windows), which reads-

Security update: Exchanged code signing certificate. The previous certificate will be invalidated soon. Please update

AnyDesk Change Log Message

Currently, ambiguous details are slowly emerging regarding a cyber incident, yet there is an information embargo preventing access to specific details.  

AnyDesk Confirm it was Hacked

AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack.

The sign of the compromise was revealed after the changelog message for Windows clients. Still, it's not clear Why AnyDesk has pushed the update for Windows clients only?

AnyDesk is used legitimately by millions of IT professionals worldwide, to remotely connect to their clients' devices to help with technical issues. Even the AnyDesk homepage claims that it has been trusted by 170,000+ customers.

We strongly recommend everyone update their AnyDesk Windows client to the latest and not to use (at least for the meantime) it in critical infrastructure and server environments. 

Check the latest Update on Hack:

• AnyDesk hack was started in late December 2023
• Statement regarding the AnyDesk credentials listed for sale on Darknet.
• AnyDesk now pushed a security update for its macOS version

Also, keep monitoring the environments that have been remotely maintained in recent weeks. 

I have created a YARA rule to detect binaries that are signed with a potentially compromised AnyDesk signing certificate

(if the PE header info isn't AnyDesk -> other binaries signed with the compromised cert)#100DaysOfYARA #AnyDesk https://t.co/W42dTSWj0K https://t.co/y7o5LWOKJs pic.twitter.com/AAyL0jJdmZ

— Florian Roth (@cyb3rops) February 2, 2024

AnyDesk finally confirmed its production systems breach in a shady statement. Also, the Anydesk Status Page updated with the following statement -

"All client logins are now available. We will continue to monitor the login functionality to prevent any further interruptions."

The post has been updated with the official statement coming up from the Anydesk side acknowledging the security incident.