Experiencing a Breach?
en
Platform
Why SentinelOne?
Services
Partners
Resources
About
en
Get a Demo

Customer Guidance on Emerging AnyDesk Cybersecurity Incident

by SentinelOne

UPDATE: AnyDesk has released additional information following the events of their recent cyberattack, validating that the source code of their agent was not tampered with and confirming that all AnyDesk versions obtained from official channels are safe to utilize.

Given these developments, the severity of the incident has been reduced.  However, customers are encouraged to follow AnyDesks’s recommendations to upgrade to the latest version of their software (version 8.0.8 and 7.0.15).

Any customers who leveraged the query provided previously should consider adjusting it for use in monitoring outdated versions for upgrading.

SentinelOne will continue to monitor the situation and will provide additional information if it becomes available.

 

Feb 2nd, 2024

AnyDesk, a remote desktop software, has recently released confirmation of a cyberattack in which hackers were able to access the company’s production environment.  Anydesk stated that no authentication tokens were stolen during the attack, as these tokens only exist on the end user’s device and are associated with the device’s fingerprint. However, out of caution, the company has revoked all passwords to their web portal and recommends users change their passwords, especially if they are used on other sites. Further, AnyDesk will be revoking all previous code signing certificates.

It is strongly recommended that all users install the latest version  of the software (version 8.0.8 for Windows, other binaries are still using the old certificate), as the old code signing certificate will soon be revoked. Furthermore, despite AnyDesk’s assurance that passwords were not stolen in the attack, it is strongly advised that all AnyDesk users change their passwords, especially if they use their AnyDesk password at other sites.

The following query can be used to identify executables in your environment that have been signed with the older, to-be revoked certificate (including prior versions of the Anydesk client):

((src.process.publisher in:anycase ('PHILANDRO SOFTWARE GMBH')) OR (tgt.process.publisher in:anycase ('PHILANDRO SOFTWARE GMBH')))

We will continue to provide more context and insight as the situation unfolds so that we can provide you more exact guidance to help mitigate risk in your environment.

SentinelOne Vigilance Team

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Read More

Get a demo

Defeat every attack, at every stage of the threat lifecycle with SentinelOne

Book a demo and see the world’s most advanced cybersecurity platform in action.

Get Demo

SentinelLabs

SentinelLabs: Threat Intel & Malware Analysis

We are hunters, reversers, exploit developers, & tinkerers shedding light on the vast world of malware, exploits, APTs, & cybercrime across all platforms.

VISIT SITE

Wizard Spider and Sandworm

MITRE Engenuity ATT&CK Evaluation Results

SentinelOne leads in the latest Evaluation with 100% prevention. Leading analytic coverage. Leading visibility. Zero detection delays.

SEE RESULTS