AnyDesk revokes signing certs, portal passwords after crooks sneak into systems

Horse, meet stable door

AnyDesk has copped to an IT security "incident" in which criminals broke into the remote-desktop software maker's production systems. The biz has told customers to expect disruption as it attempts to lock down its infrastructure.

The application developer, which is said to have more than 170,000 customers worldwide, disclosed the intrusion in a statement on its website late on Friday, claiming it is "not related to ransomware."

While there's no specific mention of stolen data, some infosec analysts have pointed out that the disclosure indicates that criminals got hold of AnyDesk's code signing certificate. That would allow miscreants to pass off malware as legit AnyDesk tools to unsuspecting marks.

"We have revoked all security-related certificates and systems have been remediated or replaced where necessary," AnyDesk said. "We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.

"As a precaution, we are revoking all passwords to our web portal,, and we recommend that users change their passwords if the same credentials are used elsewhere."

According to infosec world watchers, criminals are selling AnyDesk customer credentials on the dark web, though these may not be related to this latest heist. AnyDesk says it has hired CrowdStrike to assist with remediation and incident response, and notified the authorities.

"We can confirm that the situation is under control and it is safe to use AnyDesk," the statement continued. "Please ensure that you are using the latest version, with the new code signing certificate."

Other security shops warned that the pillaging has already begun with "multiple threat actors" selling access to stolen AnyDesk credentials.

As of February 3, a day after AnyDesk disclosed the incident, Resecurity said one of these miscreants had listed more than 18,000 AnyDesk customer credentials for sale:

Cyber threat intelligence analysts from our HUNTER team were able to establish contact with the actor to acquire context about this activity. The actor said – "this data is ideal for technical support scams and mailing (phishing)". These compromised account credentials are believed to have been obtained via infostealer infections.

Nick Hyatt, director of threat intelligence at managed detection and response firm BlackPoint, told The Register that the credentials are legitimate, but not newly stolen.

"They are part of a compilation of credentials amassed from previous infostealer dumps," Hyatt said, adding that it's a good example of criminals using new breaches to make a buck on previously stolen secrets. ®

More about


Send us news

Other stories you might like