Freely subscribe to our NEWSLETTER

There could be numerous reasons for this attack.

First, this might be part of an effort to gain access to AnyDesk’s customer environments – either to geopolitical actors like the UN - in case the attackers are operating on behalf of a foreign nation-state - or as part of a "for profit" attack by a threat actor trying to steal sensitive customer data.

Another option is a specifically targeted attack aimed at stealing AnyDesk’s source code to abuse it as part of a larger offensive effort which might be carried out later – much like the SolarWinds breach. This could also be a quick cash grab by the threat actors to take the compromised credentials and sell them to the highest bidders on the dark web. Speed would be the goal because as soon as their customers were notified about the breach, they would be changing their passwords.

Kudos to AnyDesk for their transparency and activating an immediate response and remediation plan after they learned of the incident. I am hopeful that the impact on customers will be minimal, but we just do not know today. There are some reports stating that some darkweb sources have customer credentials from up to 20,000 customers for sale, making it critical for AnyDesk’s customers to immediately do a reset.

While purely speculation, by breaching AnyDesk, the threat actors could not just gain unauthorized access to customers system, but also obtain access to significant sensitive data on AnyDesk customers, such as contact info, email addresses and login info, making that credential reset extremely important. Customers should immediately change their passwords and monitor use of AnyDesk in their systems to see if there are any unauthorized access attempts. AnyDesk customers should also be on the lookout for phishing emails about the AnyDesk breach, urging them to open malicious documents and links or download and install malicious software masquerading as AnyDesk "security updates" or "vulnerability scanners."