AnyDesk is a remote desktop program often used by network administrators to connect to other computers to collaborate on projects or assist with technical issues. Like any similar program, its ability to connect to other computers makes it a candidate for misuse by cybercriminals seeking access to a victim's computer. This is why the recent appearance on the Dark Web of a significant number of AnyDesk customer credentials for sale is of concern.
Such information being available for cybercriminals to purchase and exploit could act as a catalyst for new attacks, including targeted phishing campaigns.
Having additional context about a particular customer, the probability of a successful compromise could increase significantly.
For example, one possible scenario could involve these details being used in malicious emails sent on behalf of the software vendor, managed services providers, or IT outsourcing companies that are known to or used by the victim to acquire sensitive information.
By gaining access to the AnyDesk portal, bad actors could learn meaningful details about the customers – including, but not limited to, the used license key, number of active connections, duration of sessions, customer ID and contact information, email associated with the account, and the total number of hosts with remote access management software activated, along with their online or offline status and IDs.
How the credentials were stolen is unclear, though malicious data infostealers likely obtained access to a compromised system.
A public statement from AnyDesk on February 02, 2024, stated, "As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere."
Notably, the AnyDesk incident follows reports that Cloudflare, Microsoft, and Hewlett Packard Enterprise were also attacked by a suspected nation-state attacker. Pierluigi Paganini "Anydesk Incident: Customer Credentials Leaked and Published for Sale on The Dark Web" securityaffairs.com (Feb. 04, 2024)
Commentary
When breaches or possible breaches are announced, the smart move is to change your passwords immediately.
Long, strong, and impossible-to-guess passwords, changed regularly, can help lessen the threat of stolen credentials.
According to "additional context acquired from the actor (i.e., the cybercriminals)" the majority of exposed accounts on the Dark Web did not have two-factor authentication (2FA) enabled.
The additional security layer provided by 2FA could mean the difference between the minor inconvenience of changing a password versus losing everything on an organization's network to cyber criminals.