Background
AnyDesk is a remote desktop solution for customers to access their machines over the internet wherever they are located. AnyDesk has 170,000 customers worldwide including major players in different industry verticals.
On February 2,2024, AnyDesk reported they found indications that their production server was compromised. AnyDesk revoked all security-related certificates that were used to sign their binaries and issued a new one.
The Problem
FortiGuard Applied Threat Research (ATR) team suspects attackers who have access to the revoked certificate can use it to sign and distribute malware disguised as legitimate software. This can bypass security measures and have devastating consequences, like data breaches, ransomware attacks, and reputational damage.
FortiGuard ATR
FortiGuard ATR continually processes threat intel from various sources, creating detections to ensure FortiNDR Cloud customers can detect and respond to any network related threats. FortiNDR Cloud's extended coverage base was used to detect instances of executables signed with the revoked AnyDesk certificate.
FortiNDR Cloud: Detection Coverage
FortiNDR Cloud, Fortinet’s leading SaaS based Network Detection and Response solution, can detect executables that are signed with the revoked AnyDesk certificate and can detect if AnyDesk was downloaded or used on customer environments. Using these detections, FortiNDR Cloud customers can quickly triage and identify devices running AnyDesk or signed with the revoked AnyDesk Certificate.
AnyDesk Revoked Code Signing Certificate Executable
The following rule detects executables that are using AnyDesk Revoked Code Signing Certificate. FortiGuard Applied Threat Research (ATR) team considers this activity high severity due to the risk of installing a signed malicious signed executable.
AnyDesk Remote Administration Tool Download
The following rule will identify which systems have downloaded AnyDesk and can alert customers on newer AnyDesk downloads.
Potentially Unauthorized AnyDesk Remote Administration Tool
The following rule detects systems which are actively connecting to AnyDesk. This could be useful for customers determining the scale of AnyDesk usage in their organization.
Next Steps
Subsequently on February 5th, 2024, AnyDesk reported that they took all necessary steps to investigate and mitigate the incident and continue to cooperate with relevant authorities. AnyDesk also recommends their customers to use latest versions (7.0.15, 8.0.8) of their software.
FortiNDR Cloud customers can find the above detection rules in the portal once there is a detection with an impacted device. Customers can follow the next steps listed in the rule to guide them for investigative and corrective actions.
For further assistance, please contact your FortiNDR Cloud TSM or FortiCare support @ https://www.fortinet.com/support/contact
