Jake Williams · Feb 2, 2024 · 10:45 PM UTC

Jake Williams · Feb 2, 2024 · 10:45 PM UTC

Jake Williams

Jake Williams @MalwareJake

A few notes on #AnyDesk: * This shouldn't be coming out on a Friday afternoon when they took systems offline days ago. This is a PR move. Companies that are being transparent don't play these shenanigans * Your code signing cert was stolen? 1/n anydesk.com/en/public-statem…

Feb 2, 2024 · 10:45 PM UTC

207

Jake Williams · Feb 2, 2024 · 10:45 PM UTC

Jake Williams @MalwareJake

That alone means one of two things: you're not following good security procedures for your dev environment or the depth of this intrusion is much broader than implied. * Change your passwords and any credentialing material exposed to AnyDesk. Not worth the risk. 2/n

Jake Williams · Feb 2, 2024 · 10:45 PM UTC

Jake Williams @MalwareJake

* Threat hunt in your environment anywhere you had AnyDesk installed for anomalous activity over at least the last 30 days. When the intrusion vector isn't being shared, you have to presume they don't yet know. Even if they know, it's usually a leap to say what was accessed. 3/n

Jake Williams · Feb 2, 2024 · 10:46 PM UTC

Jake Williams @MalwareJake

Think about it: do you think a threat actor jumped onto one machine and pulled a code signing cert and that's it? No? Oh, okay. * Consider disabling AnyDesk in your environment, either by disabling the agent through GPO or blocking at a network level until more is known. 4/n

Jake Williams · Feb 2, 2024 · 10:46 PM UTC

Jake Williams @MalwareJake

I don't have any inside knowledge on this particular incident. But I've worked plenty of incidents in my day and the reporting on this one stinks to high heaven. You can say I'm overreacting, but I'm betting this isn't the last we'll hear about this incident. /FIN

Eric Foster · Feb 3, 2024 · 12:48 AM UTC

Eric Foster

@performify

Replying to @MalwareJake

GIF

Eli Edelkind 🟦 · Feb 3, 2024 · 12:17 AM UTC

Eli Edelkind 🟦 @eliedelkind

Replying to @MalwareJake

Crazy: anydesk.com/en/compliance “AnyDesk's data center partners are ISO/IEC 27001 certified, which is the international standard for information security management systems and security controls.” Their cert? LI can’t find a sec person. click on security and see their customers..

It's Just Sean · Feb 3, 2024 · 3:24 AM UTC

It's Just Sean @NeedPizzaNow

Replying to @MalwareJake

Just another company that failed to shift left... like a number of other companies out here. It's not surprising and it's super depressing.

0str1chS3c · Feb 2, 2024 · 11:53 PM UTC

0str1chS3c @ostrich_sec

Replying to @MalwareJake

Absolutely. I have a feeling we’re going to see a lot more info come out, and it’s gonna probably get worse with each press release. 😬

P90Ez - Manu · Feb 3, 2024 · 2:51 AM UTC

P90Ez - Manu @P90Eazy

Replying to @MalwareJake

It should be fine if i have 2FA on every machine running anydesk, right? (second factor when connecting with anydesk)

work for it, dont wait for it · Feb 2, 2024 · 11:58 PM UTC

work for it, dont wait for it @petescurling

Replying to @MalwareJake

This is certainly a problem and I’m betting IRs began their response activities looking for needles in the hay stack before they announced anything. Companies have to be more willing to contact their customers to let them know “Houston, we’ve got a problem”. NDAs govern this.