A cyberattack in which hackers gained access to the company’s production environment has been confirmed by the remote desktop program AnyDesk. Since authentication tokens are only present on the end user’s device and are linked to the device by its fingerprint,  , Anydesk claimed that none were stolen during the attack. The company has, however, removed all passwords from their website as a matter of caution and advises users to change them, particularly if they are already in use elsewhere. Additionally, all prior code signing certificates will be revoked by AnyDesk.
Since the old code signing certificate will soon be revoked, it is strongly advised that all users install the most recent version of the software (version 8.0.8 for Windows ). Additionally, it is strongly advised for all AnyDesk users to change their passwords, especially if they use them at other websites, despite the company’s assurance that the attack did not result in password theft.
To find executables in your environment that have been signed with an older, to-be-revoked certificate ( including earlier Anydesk client versions ) use the following query:
((src.process.publisher in:anycase ('PHILANDRO SOFTWARE GMBH')) OR (tgt.process.publisher in:anycase ('PHILANDRO SOFTWARE GMBH')))
As the situation develops, we’ll keep adding context and insight so we can give you more precise advice on how to reduce risk in your environment.
Team of SentinelOne Vigilance