Researchers from Resecurity identified bad actors offering a significant number of AnyDesk customer credentials for sale on the Dark Web.
This information acts as a source of new attacks, including targeted phishing campaigns, and the probability of a successful compromise could increase significantly.
The sources and methods of acquiring such data may vary and depend on the particular bad actors’ TTPs. By gaining access to the AnyDesk portal, threart actors could learn details about used license key, number of active connections, duration of sessions, customer ID and contact information, email associated with the account, and the total number of hosts with remote access management software activated, along with their online or offline status and IDs.
Even if AnyDesk may take proactive measures to reset their credentials. Such data could be extremely valuable for both initial access brokers and ransomware groups familiar with AnyDesk, often abused as one of the tools following successful network intrusions. Notably, per additional context acquired from the actor, the majority of exposed accounts on the Dark Web didn’t have 2FA enabled.
The shared screenshots by the actor illustrate successful unauthorized access with sessions dated Feb 3, 2024. Some users may not have changed their password, or this process might still be ongoing. Handling remediation, especially for a large customer base, is complex and may not be instantly executed.
Resecurity informed AnyDesk and notified multiple consumers and enterprises whose credentials have been exposed on the Dark Web.
Notably, the activity with AnyDesk comes right after Cloudflare announced it was targeted, along with Microsoft and Hewlett Packard Enterprise disclosing cybersecurity incidents conducted by a suspected nation-state attacker.
Additional details are available in the analysis published by cybersecurity firm Resecurity
