Remote access giant AnyDesk resets passwords and revokes certificates after hack

Carly Page
Updated ·2 min read

Remote desktop software provider AnyDesk confirmed late Friday that a cyberattack allowed hackers to gain access to the company’s production systems, putting the company in lockdown for almost a week.

AnyDesk’s software is used by millions of IT professionals to quickly and remotely connect to their clients' devices, often to help with technical issues. On its website, AnyDesk claims to have more than 170,000 customers, including Comcast, LG, Samsung and Thales.

The software is also a popular tool among threat actors and ransomware gangs, which have long used the software for gaining and maintaining access to a victim’s computer and data. U.S. cybersecurity agency CISA said in January that hackers had compromised federal agencies using legitimate remote desktop software, including AnyDesk.

News of the suspected breach began to spread last Monday when AnyDesk announced it had swapped its code-signing certificates, which companies use to prevent hackers from tampering with their code. Following a days-long outage, AnyDesk confirmed in a statement late on Friday that the company had “found evidence of compromised production systems.”

AnyDesk said that as part of its incident response, the company had revoked all security-related certificates, remediated or replaced systems where necessary and invalidated all passwords to AnyDesk's customer web portal.

“We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one,” the company added Friday.

AnyDesk said the incident is not related to ransomware but did not disclose the specific nature of the cyberattack.

AnyDesk spokesperson Matthew Caldwell did not respond to an email from TechCrunch. CrowdStrike, which is working with AnyDesk to remediate the cyberattack, declined to answer TechCrunch’s questions when reached Monday.

AnyDesk did not respond to questions asking if any customer data was accessed, though the company said in its statement that there is “no evidence that any end-user systems have been affected.”

“We can confirm that the situation is under control and it is safe to use AnyDesk,” AnyDesk said. “Please ensure that you are using the latest version, with the new code signing certificate.”

AnyDesk has already faced criticism for its handling of the cyberattack so far. As first reported by German blogger Günter Born, AnyDesk initially claimed the four days of disruption starting January 29, during which the company blocked users from the ability to log in, was "maintenance." Jake Williams, a veteran incident responder, accused AnyDesk in a post on X of pulling a "PR move" by disclosing the cyberattack to customers just before the weekend.

Security researchers say hackers are selling access to AnyDesk accounts purportedly affected by the breach on known cybercrime forums, but also note that the stolen account details are likely sourced from previous malware infections involving password-stealing malware on a user's computer.

Do you have any more information about this incident? You can contact Carly Page securely on Signal at +441536 853968 or by email. You can also contact TechCrunch via SecureDrop.