AnyDesk Incident Response 2-2-2024

29 points by matbilodeau 1 year ago | 11 comments
  • matbilodeau 1 year ago
    The ramifications of this breach are profound. Cybercriminals who gained access to the AnyDesk portal could glean valuable information about customers, including license keys, active connections, session durations, contact information, email addresses, and the number of managed remote access hosts, all with their online/offline status and IDs. Such details open up a plethora of malicious possibilities.

    In light of this breach, AnyDesk customers must take proactive steps to protect their accounts and data. Password changes alone are insufficient. AnyDesk offers a whitelist feature, enabling users to specify who can connect to their devices, adding an extra layer of security. Multi-factor authentication (MFA) is strongly recommended to enhance account protection. Organizations should also monitor for any unexpected password and MFA changes, suspicious sessions, and emails referencing AnyDesk accounts from unknown sources.

    https://securityonline.info/anydesk-breach-2024-dark-web-sal...

    • cricalix 1 year ago
      Are there any good alternatives these days for occasional remote management of a Win10 machine from a Linux desktop? I do occasional support for a club, and it's helpful to not have to go there.

      Used to use logMeIn. Then TeamViewer (but they got popped too). Then AnyDesk. Contemplating I might need to just TailScale and use RDP, but I need to be able to do it with no interaction at the remote end.

      • mindofbeholder 1 year ago
        MeshCentral if you’re able to host the service on your own hardware.
        • neodymiumphish 1 year ago
          TacticalRMM was super useful for me in a very similar context.
          • Maskawanian 1 year ago
            I've had good experiences with rustdesk.
          • jwnin 1 year ago
            Page 1 of the IR playbook, announce it Friday evening.
            • 1 year ago
              • ratg13 1 year ago
                When did this start?

                I noticed Microsoft seems to always do this. Is this common practice for everyone now?

                • mango7283 1 year ago
                  just f the rest of us blue teamers right. can;t even have a fing quiet saturday. week after week after week.

                  and holier than thou it people call us incompetant just because we won;t allow a half dozen unmonitorable open source solutions hacked together as an alternative to using vendor crap. :)

                  • fullspectrumdev 1 year ago
                    If you (blue team) are getting in the way of IT operations, you probably are due some criticism.

                    Security teams should be enablers, and work to find ways to add monitoring - not just “the no department”.

                    • mango7283 1 year ago
                      Yeah ideally, is just we never have enough time and resources to do this right because we're always pulled into firefighting previous insecurity decisions.

                      That and never having weekends because we can't go one week without yet another CVE

                      Yeah I'm just frustrated I'm not anywhere near the ideal as I want to be

                • matbilodeau 1 year ago
                  https://www.thestack.technology/anydesk-hacked/