Image: AnyDesk/PhotoMosh

AnyDesk says software ‘safe to use’ after cyberattack

Popular remote monitoring and management software company AnyDesk said all versions of its tool obtained from “official sources” are safe to use following a cyberattack that caused days of outages and concern among users. The cyberattack affected servers in Spain and Portugal but nowhere else, AnyDesk said.

The company confirmed last Friday that a four-day outage starting on January 29 was sourced back to a cyberattack involving the compromise of AnyDesk production systems. AnyDesk hired security company CrowdStrike to help with the remediation and recovery alongside unnamed law enforcement agencies.

The situation caused alarm among users after BleepingComputer reported that source code and private code signing keys were stolen during the attack. The company forced a password reset for customers, causing further concern about whether user data was affected by the incident.

In response to questions, AnyDesk spokesperson Matthew Caldwell directed Recorded Future News to a new statement and FAQ page on Tuesday that provided details about the incident.

The company “immediately took all necessary steps to investigate and mitigate the incident and continue to cooperate with all relevant authorities.” The software is safe to use but AnyDesk recommends using the latest versions, the statement said.

“The forced password reset for our customer portal was done out of an abundance of caution. We have no evidence that any customer data has been exfiltrated. Again, we also have no evidence that any end-user devices have been affected by this incident,” the statement explained.

According to the FAQ responses, the incident did not involve ransomware or an extortion attempt.

Spain and Portugal

AnyDesk said it does not believe user credentials were affected by the cyberattack but it “cannot rule out the theoretical possibility for a short period of time.”

The statement goes on to explain that its systems are designed to not store private keys, security tokens or passwords from user end devices. Instead, when users enter credentials they are relayed through a server. Two of these relay servers in Spain and Portugal were affected by the cyberattack last week.

“Our assessment concluded that there was only a theoretical risk of credentials being compromised. Even to read credentials from these extremely limited connections, the attackers would have had to rewrite the very extensive code of our software in the very short time available, trick users into using a fake version of our software and then have them enter their password. This seems unlikely, although not impossible,” AnyDesk said.

The company also addressed several concerns raised by cybersecurity experts that AnyDesk source code was compromised — allowing for potentially devastating supply chain attacks.

AnyDesk said on Tuesday that it has “no indication that compromised versions of… software have been or are being distributed.”

It also revoked all security-related certificates and is in the process of revoking the code signing certificate as an added precaution, urging users to refrain from downloading the software from third-party sites and only the latest versions from AnyDesk directly. Malware is not being spread via AnyDesk, the company said.

“We have performed a review of our code and see no malicious modifications. We also have no evidence of malicious code being distributed to customers through any AnyDesk systems,” the statement says.

AnyDesk has faced scrutiny in the past because it has been abused prolifically by cybercriminals. The U.S. Cybersecurity and Infrastructure Security Agency said two federal agencies were hacked last year as part of a refund scam campaign perpetrated through the use of AnyDesk and other remote tools.

Multiple ransomware gangs have either been caught using AnyDesk or admitted themselves to using the tool during attacks.

AnyDesk says it has more than 170,000 customers across the world that include organizations like the United Nations as well as Samsung, Comcast, Nvidia and more.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.