At the end of December 2023, AnyDesk, a popular and widely used remote access solution, suffered a significant cybersecurity breach, only discovered in January 2024. The breach allowed unauthorized access to the company’s production systems, affecting its operations and putting its substantial user base at risk.
What is striking is that the attackers have managed to penetrate the remote access solution itself. More commonly, attacks follow a different pattern: the target is to steal access credentials of specific companies so that the company itself can get breached. AnyDesk is known for its extensive customer portfolio, including major corporations and millions of IT professionals worldwide, making the potential impact of this attack far-reaching.
More recent investigations have concluded that customer credentials have not been stolen. Moreover, no malicious versions of the software code have been distributed. However, there are extensive reports of AnyDesk compromised accounts being sold on the dark web in the aftermath of the breach “with the purpose of conducting technical support scams and email phishing attacks.”
How the AnyDesk Hack Was Carried Out
The attackers compromised AnyDesk’s production systems, although the specific vector used for this breach has not been disclosed. It is known that source code and private code signing keys were stolen, suggesting sophisticated access.
The breach was significant enough to prompt AnyDesk to reset passwords, revoke all security-related certificates, and replace compromised systems, indicating a deep intrusion into their network infrastructure.
While the company clarified that it was not a ransomware attack and there was no extortion attempt, the breach seems to have roots in a previous security incident. According to one CISA and NSA joint advisory, “multiple federal civilian executive branch agencies” were the targets of an attack using legitimate remote monitoring solutions. The incident was reportedly part of a broader financially-motivated cyber campaign that began in mid-2022 with a series of phishing emails aimed at US federal employees – emails that prompted the download of remote access solutions and subsequent access into employees’ computers and bank accounts.
One theory emerging from this cluster of incidents is that hackers managed to penetrate AnyDesk by using access credentials obtained via malware installed from one of the previous infections.
The Consequences of the AnyDesk Hack
The ramifications of the attack were substantial, both in terms of operational downtime and potential financial losses. AnyDesk experienced a multi-day outage, initially described as maintenance, which disrupted service for millions of users.
The breach’s timing and the initial lack of transparency raised concerns among users and security professionals. Obviously, the company’s reputation has been affected. The handling of this incident can be considered faulty, with AnyDesk claiming at first that the systems outage was caused by maintenance. Veteran incident responder Jake Williams criticised AnyDesk for disclosing the cyberattack to customers before the weekend.
The potential loss of credentials and the revocation of security certificates would have caused immediate disruption and could lead to longer-term trust issues among customers and partners.
Furthermore, the sale of access to AnyDesk accounts on cybercrime forums added to the potential for further exploitation of affected users. As low-hanging fruit in terms of proof: a lot of inboxes in the days following the attack (including ours) are filled with unsolicited emails offering AnyDesk customer databases. The timing suggests this is not coincidental.
However, the biggest threat is still lurking. While there is no evidence of such an occurrence, and the company deems it “unlikely,” the possibility still exists that the attackers could have (theoretically) rewritten AnyDesk code and tricked users into using the malicious software.
How Impero Connect Could Have Prevented This Attack
Drawing a direct connection to this hack, let’s explore how Impero Connect’s advanced security features could mitigate similar risks.
Impero Connect is fortified with 256-bit AES encryption, ensuring that all data transmitted during remote sessions is protected against interception and unauthorized access, a critical layer of defense that might have thwarted the attackers in the AnyDesk scenario.
Furthermore, Impero Connect’s centralized multi-factor authentication system, supporting Microsoft Azure, RADIUS, RSA SecurID, and Smartcards, adds an additional security layer that could prevent unauthorized system access, even if credentials were compromised as they were in the AnyDesk breach.
The ability to control machine access through MAC or IP lists provides a targeted approach to secure connectivity, directly addressing vulnerabilities exploited in the AnyDesk hack by ensuring only authorized devices can connect.
Complete logging with customizable audit trails and session recordings offered by Impero Connect exceeds PCI, GDPR, ISO, and HIPAA compliance requirements and creates a detailed record of all remote access activities. This feature could significantly aid in detecting and investigating unauthorized access attempts, providing transparency and accountability that were sorely needed in the aftermath of the AnyDesk incident.
Impero Connect’s integration with Directory Services and granular control over user permissions through individual or group definitions allow for precise access management. This level of control ensures that users only have the necessary permissions, reducing the risk of internal threats or exploitation by external actors, a key concern highlighted by the AnyDesk hack.
The platform’s Closed User Group license keys and customizable security roles further enhance the security posture, ensuring that remote access is strictly controlled and monitored. Automatic locking or logging of remote machines in case of abnormal disconnection provides an additional safety net against unauthorized access, addressing potential vulnerabilities in remote access scenarios similar to those exploited in the AnyDesk breach.
Restricting user access with application white-listing and offering a multi-layer approach to security rounds up a comprehensive security strategy. This ensures that security policies are not compromised, starkly contrasting the vulnerabilities exposed in the AnyDesk attack.
Conclusion and Recommendations
The AnyDesk cyberattack serves as a reminder of cybersecurity’s critical importance in remote access software. The breach’s consequences highlight the need for robust security measures, transparent communication, and swift incident response to maintain trust and ensure user safety.
While it is mostly true that most user keys cannot be stolen using AnyDesk, some of them can be. To make a metaphor of this breach: it is not the locks of individual doors that were necessarily breached, but the keymaker’s shop itself.
By prioritizing security at every level and offering extensive customization and control, Impero Connect presents a compelling solution for organizations seeking to safeguard their remote access capabilities against the evolving threat landscape.
Organizations looking for a secure, reliable, and user-friendly remote access tool would do well to consider Impero Connect as a viable alternative to AnyDesk to mitigate the risks associated with cyber threats in today’s interconnected world.