Frequently Asked Questions on Security Incident at AnyDesk
Frequently asked questions relating to a security incident at AnyDesk that was publicly disclosed on February 2.
Update February 7: The blog has been updated with new information from AnyDesk including a new FAQ document, a new version of AnyDesk for macOS and an updated list of Tenable product coverage.
Background
The Tenable Security Response Team has put together this blog to answer frequently Asked Questions (FAQ) regarding a security incident at AnyDesk.
FAQ
What is the incident being reported at AnyDesk?
Since February 1, reports began circulating on social media about a possible breach at AnyDesk Software GmbH, makers of a remote desktop application called AnyDesk. In a post on its website on February 2, AnyDesk confirmed that it had conducted a security audit following “indications of an incident” affecting “some” of its systems, which led to the discovery of a compromise of its production systems.
When did this incident occur?
No specific time frame for the incident was shared in AnyDesk’s post. However, AnyDesk announced it would be undergoing a 48-hour maintenance period on January 30 on its X (formerly known as Twitter) account.
my.anydesk II is currently undergoing maintenance, which is expected to last for the next 48 hours or less. You can still access and use your account normally. Logging in to the AnyDesk client will be restored once the maintenance is complete. We apologize for any inconvenience…
— AnyDesk Software (@anydesk) January 30, 2024
What exactly happened during this incident?
AnyDesk did not share any specifics in its post about what information may have been exposed during the attack, only noting that they found evidence of “compromised production systems.” However, sources have told BleepingComputer that threat actors “accessed source code and code signing certificates” during the incident. According to AnyDesk, the security event they experienced was “not related to ransomware.”
As of February 2, much of this information is still preliminary and we expect more information to come to light in the coming days.
Did AnyDesk revoke the compromised code signing certificates?
Yes, AnyDesk released a new version of its Windows application on January 29 that includes a new code signing certificate. However, AnyDesk says they plan to revoke “the previous code signing certificate for our binaries shortly” though it is unclear if other versions of AnyDesk will be updated soon.
Is this a supply chain compromise?
Based on the limited information available as of February 2, there are no indications that a supply chain incident has occurred. While code signing certificates were "accessed," existing AnyDesk binaries do not appear to have been tampered with as far as we know.
What else has AnyDesk done in response to this incident?
AnyDesk says they revoked security-related certificates, revoked passwords to their web portal and are recommending customers reset any passwords that they may have reused for their AnyDesk portal.
Is there any other official source of information from AnyDesk about this incident?
Yes, AnyDesk has published an FAQ document on its website on February 5. They’ve also updated their public statement.
What versions of AnyDesk are safe to use?
According to AnyDesk’s FAQ document, versions 7.0.15 through 8.0.8 are considered to be the latest versions of AnyDesk that are recommended for customers. So far, we’ve only seen confirmations that AnyDesk 8.0.8 for Windows and AnyDesk 8.0.0 for macOS have been signed with the new code signing certificates.
Solution
As of February 6, AnyDesk released at least two new versions of AnyDesk, one for Windows and one for macOS that include the new code signing certificate. Here is the list of AnyDesk software versions as of February 6.
| AnyDesk Solution | Version | Last Updated |
|---|---|---|
| Windows | 8.0.8 | January 29, 2024 |
| macOS | 8.0.0 | February 6, 2024 |
| Android | 7.1.0 | November 6, 2023 |
| iOS | 7.1.0 | December 13, 2023 |
| tvOS | Unknown | Unknown |
| Linux | 6.3.0 | August 10, 2023 |
| FreeBSD | 6.1.0 | January 28, 2021 |
| Raspberry Pi | 6.3.0 | August 10, 2023 |
| On-Premises Solution | 2.1.3 | December 4, 2023 |
We do not have definitive confirmation that other versions of AnyDesk will be updated with new code signing certificates, but we are listing the versions above for informational purposes. If the versions change, we will update the table above.
Identifying affected systems
Tenable has released the following local detection plugins and vulnerable version check plugins for AnyDesk.
| Plugin ID | Name |
|---|---|
| 189953 | AnyDesk Installed (Windows) |
| 189955 | AnyDesk Installed (macOS) |
| 189973 | AnyDesk Installed (Linux) |
| 189954 | AnyDesk < 8.0.8 Invalidated Signing Certificate |
We will update this blog with information about additional coverage.
Change Log
Update February 7: The blog has been updated with new information from AnyDesk including a new FAQ document, a new version of AnyDesk for macOS and an updated list of Tenable product coverage.
Get more information
- AnyDesk Incident Response 2-2-2024
- AnyDesk Incident Response 5-2-2024
- AnyDesk FAQ
- BleepingComputer: AnyDesk says hackers breached its production servers, resets passwords
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Related Articles
Volt Typhoon: What State and Local Government Officials Need to Know
November 19, 2024Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
November 19, 2024Volt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
November 18, 2024Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.
Volt Typhoon: What State and Local Government Officials Need to Know
November 19, 2024Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
November 19, 2024Volt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
November 18, 2024Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management