Cybereason is investigating incidents involving abuse of AnyDesk code signing certificates after AnyDesk reported a production systems compromise and revoked existing certificates. Attackers are purportedly using stolen certificates to sign malware such as Agent Tesla, while AnyDesk pushed new certificates and credential resets. #AnyDesk #CodeSigning #AgentTesla #Trojan #philandroSoftwareGmbH #VirusTotal
Keypoints
- Cybereason Security Services is investigating incidents involving abuse of AnyDesk code signing certificates.
- AnyDesk confirmed a compromise of production systems and revoked security-related certificates, issuing new ones.
- Attackers reportedly stole proprietary AnyDesk source code and a private code signing certificate, with no confirmed supply chain incident at publication.
- Code signing abuse leverages trust to distribute malware and evade detection, with VirusTotal data showing many signed malicious samples still carried valid signatures.
- Malware signed with the compromised certificate includes Trojans like Agent Tesla; over 500 Agent Tesla samples signed with the certificate appeared on VirusTotal since 2022.
- Cybereason recommends updating AnyDesk software, rotating credentials, downloading binaries only from the official site, and proactively hunting for certificate abuse.
MITRE Techniques
- [T1553] Code Signing – Use of a stolen AnyDesk code signing certificate to sign malware, enabling trust in malicious binaries. “abuse of AnyDesk code signing certificates” and “stolen certificate used to sign malicious binaries.”
- [T1036] Masquerading – Malware distributed as or purporting to be a legitimate AnyDesk application. “malware could be distributed, purporting to be a legitimate AnyDesk application.”
- [T1133] External Remote Services – RMM tools could be abused by threat actors to gain remote access to environments. “Remote Monitoring and Management (RMM) tools could be abused by threat actors in order to gain remote access to your environment.”
Indicators of Compromise
- [Domain] context – official download site for AnyDesk – http://anydesk.com/downloads
- [File name] AnyDesk Changelog.txt – Extract From AnyDesk Changelog.txt Showing The Security Update And Code Signing Certificate Exchange
- [Certificate] signing name – philandro Software GmbH
- [Malware] Agent Tesla – Over 500 samples signed with the compromised certificate uploaded to VirusTotal since June 2022
- [Version] AnyDesk Windows – Prior to v8.0.8
Read more: https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath