AnyDesk Breach Calls Urgent Attention To Code Signing Security

On February 2, 2024, popular remote access solution AnyDesk disclosed that it had suffered a cyberattack that compromised its production systems. AnyDesk revealed that they detected the breach in mid-January during a security audit. They immediately began a forensic investigation that confirmed that the attack began in December 2023.

Post the investigation, the team at AnyDesk worked closely with experts at CrowdStrike to initiate a threat remediation and response plan. As part of the plan, they revoked all security-related certificates and remediated or replaced affected systems. They would also be revoking their code signing certificate and issuing software updates with a new certificate.

AnyDesk further reported that as precautionary measures, they have revoked all passwords for their customer web portal, my.anydesk.com, and recommended users to reset their passwords if they have been used on other platforms. They also urged users not to download software or updates from unsecured third-party websites and to update to the latest software version with new code signing certificates.

What’s the Potential Impact of the Compromise?

AnyDesk hasn’t disclosed the root cause or the specifics of the attack. However, their threat mitigation plan, involving forced password resets and the replacement of the code signing certificate, does suggest that the attackers likely compromised user passwords and the company’s code signing certificate.

While AnyDesk claimed that—their systems are designed not to store private keys, security tokens, or passwords—they also did not rule out the theoretical possibility of password compromises. In case the attackers did compromise these passwords, they could misuse these to carry out credential-stuffing attacks, using the same passwords to authenticate and gain access to other services.

Highlighting the reality of this threat, the cybersecurity company Resecurity reported that on February 3, they found more than 18,000 AnyDesk credentials up for sale on the dark web for technical support scams and phishing. However, AnyDesk believes these credentials are old and might have been stolen from malware-infected end-user devices and, therefore, not related to the incident.

Another serious risk we are looking at is the misuse of the code signing certificate. Since there is a high possibility that the attackers accessed the company’s source code and stole the code signing keys, the threat of a software supply chain attack cannot be overlooked. Attackers could insert a malicious payload into AnyDesk’s code base and use the compromised code signing certificate to sign executables, making them appear legitimate, and distribute them to AnyDesk customers, resulting in a large-scale software supply chain attack.

AnyDesk has a large customer base (around 170,000 customers), including giants such as United Nations, NVIDIA, Samsung, Comcast, and SIEMENs. Considering the massive reach, a software supply chain attack would be nothing short of disastrous, just like the SolarWinds Orion Breach.

Secure Code Signing is Indispensable for Software Development and Software Supply Chain Security

Code signing certificates play a critical role in secure software development and delivery. These certificates stand as proof of software authenticity, integrity, and security. They are a testament to the software developer’s commitment to security and user trust.

Build secure code signing into your DevOps processes to ensure code integrity and security with AppViewX SIGN+

When software is appended with a digital signature from a code signing certificate, it indicates that the code has not been altered or tampered with since it was signed. Users can trust that the software comes from a legitimate source and, therefore, is safe to use. This is also why code signing certificates are a prime target for attackers. Stealing a company’s code signing certificate gives attackers wild control over software distribution, allowing them to impersonate the trusted developer and distribute malware to unsuspecting users, eroding their trust.

Identifying and revoking a compromised code signing certificate and cleaning up its misuse can be a complex and time-consuming process. In the meantime, users may continue to encounter compromised software that appears trustworthy and signed with a valid certificate. To prevent this, it is best to manage code signing keys efficiently and prevent code signing compromises.

In light of the increasing code signing-related attacks, the Certificate Authority (CA)/Browser Forum released new baseline requirements for code signing in June 2023. According to the latest mandate, all publicly trusted code signing private keys must be generated and stored in secure hardware crypto modules such as hardware security modules (HSMs) that are at least FIPS 140-2 Level 2 or Common Criteria EAL 4+. As HSMs are tamper-resistant by design, private keys are non-exportable and, therefore, minimize the risk of private key compromises.

Simplify and Modernize Code Signing with AppViewX SIGN+

In a world dominated by DevOps and CI/CD practices, code signing is an invaluable guardian of integrity and trust. Therefore, it is essential that software development organizations see code signing as a security imperative and not merely as a best practice. The AnyDesk breach presents an opportunity for organizations to reassess their code signing processes and invest in holistic solutions that simplify code signing for DevOps, support distributed development teams, and give security teams complete visibility and control of the code signing process.

AppViewX SIGN+ is a fast, reliable, and secure code signing solution built to protect the integrity of code, containers, firmware, and software. With a centralized and integrated approach, AppViewX SIGN+ is designed to simplify code signing for DevOps, enhance software supply chain security, and extend trust to end users.

To learn more about AppViewX SIGN+, visit our product page now or talk to one of our experts.

Tags

  • Certificate authority
  • certificate lifecycle management
  • code signing
  • code signing keys
  • DevOps
  • password compromises
  • Private keys

About the Author

Krupa Patil

Product Marketing Manager

A content creator focused on providing readers and prospective buyers with accurate, useful, and latest product information to help them make better informed decisions.

More From the Author →

Related Articles

Key Lessons To Learn From Entrust Certificate Distrust

| 5 Min Read

Securing Kubernetes: The Risks Of Unmanaged Machine Identities

| 6 Min Read

Attention: Google To Distrust Entrust TLS Certificates

| 5 Min Read