Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-Feb-2024 03:27:50 JST Kevin Beaumont

   AnyDesk may have been owned.

   They just had a several day authentication outage they describe as “planned maintenance” (it wasn’t planned) and have now reemerged with a new client, with this in the update notes:

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-Feb-2024 03:35:46 JST Kevin Beaumont

     in reply to

     Waiting for the Friday 11pm blog dump announcing cyber incident

   • Embed this notice
     Jeremy Mill :oh_no_bubble: :verified: (livinginsyn@infosec.exchange)'s status on Saturday, 03-Feb-2024 05:18:08 JST Jeremy Mill :oh_no_bubble: :verified:

     in reply to

     @GossiTheDog Malware signed by their key: https://www.virustotal.com/gui/file/ac71f9ab4ccb920a493508b0e0577b31fe547aa07e914f58f1def47d08ebcf7d/behavior

   • Embed this notice
     Jeremy Mill :oh_no_bubble: :verified: (livinginsyn@infosec.exchange)'s status on Saturday, 03-Feb-2024 06:04:40 JST Jeremy Mill :oh_no_bubble: :verified:

     @GossiTheDog 🤦♂️ Well, that'll teach me, sorry

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-Feb-2024 06:19:14 JST Kevin Beaumont

     in reply to

     If anybody wants a VirusTotal search for _valid_ signed AnyDesk binaries:

     signature:"philandro Software GmbH" signature:9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE entity:file tag:signed NOT tag:invalid-signature

     I don't see any which are triggering suspect AV or behavioural triggers, going back to beginning of January.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-Feb-2024 07:32:48 JST Kevin Beaumont

     in reply to

     There we go, 10pm on the dot UK time on Friday.... again.

     AnyDesk breached, Crowdstrike in doing IR.

     https://anydesk.com/en/public-statement

   • Embed this notice
     Marcus Nogueira (mrcsno@infosec.exchange)'s status on Saturday, 03-Feb-2024 07:35:28 JST Marcus Nogueira

     in reply to

     @GossiTheDog Again? Are they getting targeted every Friday?

   • Embed this notice
     chort ↙️↙️↙️ (chort@infosec.exchange)'s status on Saturday, 03-Feb-2024 08:20:38 JST chort ↙️↙️↙️

     in reply to

     @GossiTheDog LOL, production thoroughly owned, code signing certificate presumed stolen, TLS certificates presumed stolen, login portal passwords presumed stolen, but "the situation is under control and it is safe to use AnyDesk."

     Riiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiight.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 05-Feb-2024 06:25:19 JST Kevin Beaumont

     in reply to

     If you see stories about lots of AnyDesk creds being leaked - it’s completely unrelated this incident. They’re from info stealers and have existed for years. #threatintel