Proactive Response: Any Breach (AnyDesk Incident)

No One Is Immune. AnyDesk was breached, and the problem isn’t the breach itself. It’s the issue with using a remote desktop solution with malicious potential in a sensitive environment. Many investigations I did in the past involved Anydesk as a crucial and weak part of the attack flow.

The Breach in a Nutshell

AnyDesk, a remote access software company based in Germany with 170,000 customers globally, including Comcast and Thales, has confirmed its production systems were compromised in a security incident. After client logins failed, the company was left sweating for three days and notified them of unplanned maintenance. A changelog showed it invalidated a previous code signing certificate on January 29.

In a late Friday, February 2. The security advisory, AnyDesk announcement is: “Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems.”

AnyDesk also mentioned: “We have revoked all security-related certificates, and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly.”

The Borncity website uploaded a post about the Anydesk breach with additional information. In the following post, “AnyDesk confirmed, they have been hacked in January 2024, Production systems affected.”

From the Borncity website: “On January 25, 2024, a reader contacted me and complained about constant “malfunctions” with the AnyDesk remote maintenance software. The reader could no longer establish a connection from January 20, 2024. In addition, license keys were suddenly no longer accepted. AnyDesk support only stated that there were “Current problems with the server connections”. Below is a screenshot of a Statement (in German) from the AnyDesk support.”

Something We Know

The attack, at least what we know from the field and information on the web, is.

• The production systems were compromised, and they are revoking code signing certificates prior to AnyDesk Windows version 8.0.8.
• The signer’s name is “philandro Software GmbH.”
• The serial number “0dbf152deaf0b981a8a938d53f769db8.”
• This certificate was originally created in December 2021 and was set to expire in January 2025.
• There are no indications of a supply chain incident. While code signing certificates were accessed, existing AnyDesk binaries do not appear to have been tampered with. (Based on the limited information available as of February 2)
• AnyDesk revoked security-related certificates and passwords to their web portal and recommended that customers reset any passwords they may have reused for their AnyDesk portal.
• AnyDesk released a new version of its Windows application on January 29, including a new code signing certificate.
• AnyDesk plans to revoke the previous code signing certificate, though it is unclear if other versions of AnyDesk will be updated soon.

Note: Code-signing certificates issued by a trusted third party include information about software. When installed, an OS checks a signature against the certificate to ensure it has not been tampered with.

KQL Hunting 4 Fun

You can use Microsoft Sentinel or Advanced Hunting Query via Defender XDR to search, hunt, and look for potential binaries.

Note: The following queries can be good for any environment. First, you must understand the environment you are hunting to lower the false positive and be more accurate before blocking and containing the executable and the connection.

I could play with the queries and hunt them for hours, but we didn’t have extra time, so I shared a few of them. 

The Anydesk executable could be found in many tables if it is used with the DeviceEvent table and others. It depends on the environment. Mostly, it will be on the Defender for Endpoint tables.

A Potential Hunting

The first will be to search for a general “anydesk.exe” with DeviceFileEvents.

DeviceFileEvents
| where TimeGenerated >= ago(31d)
| where FileName == “AnyDesk.exe”
| summarize count() by InitiatingProcessCommandLine, ActionType, FolderPath, FileName

Then, we can run another query with the DeviceEvents table and look for specific operations.

DeviceEvents
| where TimeGenerated >= ago(30d)
| extend Flags_ = tostring(AdditionalFields.Flags)
| extend OperationType = tostring(AdditionalFields.OperationType)
| where InitiatingProcessFileName == “anydesk.exe”
| summarize count() by InitiatingProcessVersionInfoProductVersion, DeviceName, OperationType, InitiatingProcessFileName, InitiatingProcessCommandLine

Note: CryptProtectData calls, via RPC, into the Protected Storage service, which resides in the LSASS. From the disassembly of lsasrv.dll: SPCryptProtect calls into GetSpecifiedMasterKey, which can return NTE_BAD_KEY_STATE.

Once you get the first posture, you can search for the required anydesk executable (general one) and for a successful connection.

DeviceNetworkEvents
| where TimeGenerated >= ago(31d)
| where InitiatingProcessVersionInfoCompanyName == “philandro Software GmbH”
and InitiatingProcessVersionInfoProductName == “AnyDesk”
| where ActionType == “ConnectionSuccess”
| project TimeGenerated, ActionType, DeviceName, RemoteIP, RemoteUrl

When searching for a specific RemoteIP, the result will be like the image below.

Next, we will search for the specific “CertificateSerialNumber” and “Signer”.

DeviceFileCertificateInfo
| where TimeGenerated >= ago(31d)
| where CertificateSerialNumber == “0dbf152deaf0b981a8a938d53f769db8”
and Signer == “philandro Software GmbH”
| project TimeGenerated, DeviceName, CertificateSerialNumber, Signer

More updates on my X Profile.

KQL Queries on GitHub.