Following the disclosure of a security incident by remote management software maker AnyDesk, cybersecurity firm Resecurity says it identified multiple threat actors offering AnyDesk credentials on the darkweb.
Following the disclosure Friday of a security incident by AnyDesk, cybersecurity firm Resecurity said it identified multiple threat actors offering AnyDesk credentials on the darkweb.
AnyDesk disclosed Friday that it had “found evidence of compromised production systems” but did not specify whether customer or partner credentials had been impacted. However, the remote management software maker did report that it had reset all passwords to its web portal in response to the breach.
[Related: Why SMBs With Old Routers ‘Now Are A Target’ For Nation-State Hackers]
In a post Sunday, researchers at Resecurity said they have “identified multiple threat actors selling access to compromised AnyDesk credentials on cybercriminal forums.”
One threat actor had listed more than 18,000 credentials belonging to AnyDesk customers on a “prominent” darkweb forum, the researchers said.
Analysts from Resecurity made contact with the threat actor and were told the credentials were being offered for a $15,000 cryptocurrency payment, the firm said.
CRN has reached out to AnyDesk for comment. The company has said its customer base numbers more than 170,000, including companies such as Nvidia, Comcast and Samsung as well as organizations such as the United Nations, MIT and Harvard Medical School.
In its statement Friday, AnyDesk said that a security audit was conducted “following indications of an incident on some of our systems.”
The incident did not include ransomware and there is “no evidence that any end-user devices have been affected,” according to the investigation of the incident, which AnyDesk said has included security professionals from CrowdStrike.
AnyDesk said in the statement that it had “revoked all security-related certificates and systems have been remediated or replaced where necessary.”
“Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end-user devices,” the company said. “As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere.”
In addition, AnyDesk said that “the situation is under control and it is safe to use AnyDesk.”
Prior Attacks
In January 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed a major cyberattack campaign that exploited legitimate remote monitoring and management (RMM) software, including from AnyDesk.
CISA disclosed that it had identified a “widespread cyber campaign involving the malicious use of legitimate RMM software” that took place in October 2022. As part of the campaign, cybercriminals sent out phishing emails with the goal of getting users to download legitimate RMM software, leading to the theft of funds from the users’ bank accounts.