Frequently Asked Questions on Security Incident at AnyDesk

Frequently asked questions relating to a security incident at AnyDesk that was publicly disclosed on February 2.

Background

The Tenable Security Response Team has put together this blog to answer frequently Asked Questions (FAQ) regarding a security incident at AnyDesk.

FAQ

What is the incident being reported at AnyDesk?

Since February 1, reports began circulating on social media about a possible breach at AnyDesk Software GmbH, makers of a remote desktop application called AnyDesk. In a post on its website on February 2, AnyDesk confirmed that it had conducted a security audit following “indications of an incident” affecting “some” of its systems, which led to the discovery of a compromise of its production systems.

When did this incident occur?

No specific time frame for the incident was shared in AnyDesk’s post. However, AnyDesk announced it would be undergoing a 48-hour maintenance period on January 30 on its X (formerly known as Twitter) account.

my.anydesk II is currently undergoing maintenance, which is expected to last for the next 48 hours or less. You can still access and use your account normally. Logging in to the AnyDesk client will be restored once the maintenance is complete. We apologize for any inconvenience…

— AnyDesk Software (@anydesk) January 30, 2024

What exactly happened during this incident?

AnyDesk did not share any specifics in its post about what information may have been exposed during the attack, only noting that they found evidence of “compromised production systems.” However, sources have told BleepingComputer that threat actors “accessed source code and code signing certificates” during the incident. According to AnyDesk, the security event they experienced was “not related to ransomware.”

As of February 2, much of this information is still preliminary and we expect more information to come to light in the coming days.

Did AnyDesk revoke the compromised code signing certificates?

Yes, AnyDesk released a new version of its Windows application on January 29 that includes a new code signing certificate. However, AnyDesk says they plan to revoke “the previous code signing certificate for our binaries shortly” though it is unclear if other versions of AnyDesk will be updated soon.

Is this a supply chain compromise?

Based on the limited information available as of February 2, there are no indications that a supply chain incident has occurred. While code signing certificates were “accessed,” existing AnyDesk binaries do not appear to have been tampered with as far as we know.

What else has AnyDesk done in response to this incident?

AnyDesk says they revoked security-related certificates, revoked passwords to their web portal and are recommending customers reset any passwords that they may have reused for their AnyDesk portal.

Solution

As of February 2, AnyDesk has only released one new version of AnyDesk for Windows that includes a new code signing certificate. Here is the list of AnyDesk software versions as of February 2.

We do not have definitive confirmation that other versions of AnyDesk will be updated with new code signing certificates, but we are listing the versions above for informational purposes. If the versions change, we will update the table above.

Identifying affected systems

Tenable is releasing an AnyDesk local detection plugin and a vulnerable version check plugin for Windows. We will update this blog with information about additional coverage.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.