On February 2, 2024, AnyDesk confirmed that attackers had compromised their production systems. The German remote desktop software company, used by over 170,000 organizations worldwide, published a terse public statement acknowledging the incident after days of speculation prompted by service outages and a mandatory password reset for all my.anydesk.com portal users.
The breach was significant not just because of AnyDesk's large user base, but because the attackers gained access to production systems where source code and code signing certificates are handled. This placed the incident squarely in supply chain attack territory.
What Happened
AnyDesk stated they became aware of the compromise following an audit of their production systems. The company engaged CrowdStrike for incident response and confirmed the following:
- Production systems were compromised (not just corporate IT systems)
- Source code and private code signing keys were accessed
- No evidence of malware distributed to end users through the AnyDesk update mechanism
- All security-related certificates were revoked and replaced
- The my.anydesk.com portal passwords were reset as a precaution
The timeline was murky. AnyDesk's initial statement was dated February 2, but reports indicated that the company's systems had been experiencing disruptions since January 29, when the my.anydesk.com client portal went down. BleepingComputer reported that the breach had actually occurred in mid-to-late December 2023, with AnyDesk beginning remediation in late January.
The Code Signing Problem
The theft of code signing certificates is the most concerning aspect of this breach. Code signing is a fundamental trust mechanism in software distribution. When you download AnyDesk and Windows verifies its digital signature, you are trusting that the binary came from AnyDesk and was not tampered with. If an attacker possesses AnyDesk's code signing private key, they can sign malicious software that appears to be legitimate AnyDesk releases.
AnyDesk responded by revoking the compromised certificates and issuing new ones. They released version 8.0.8 of their Windows client signed with the new certificate and urged users to update. However, the window between the certificate theft and the revocation created risk. Any malicious binaries signed with the stolen certificate during that period would have appeared legitimate to operating systems and security tools.
After the disclosure, security researchers at Hudson Rock reported finding AnyDesk customer credentials for sale on dark web marketplaces. While AnyDesk stated these were not necessarily related to the production breach, the combination of stolen credentials and potentially compromised code signing created an elevated threat landscape for AnyDesk users.
Why Remote Access Tools Are High-Value Targets
Remote access software occupies a uniquely sensitive position in the software ecosystem. Tools like AnyDesk, TeamViewer, and ConnectWise ScreenConnect are installed on endpoints with the explicit purpose of allowing remote control. They typically run with elevated privileges and are often exempted from security controls because they need to function through firewalls and alongside EDR tools.
This makes them extraordinarily valuable to attackers for several reasons. They provide legitimate-looking remote access. Security teams may not flag AnyDesk connections because the tool is authorized. They are widely deployed. A supply chain compromise of AnyDesk could theoretically reach hundreds of thousands of organizations. And they handle sensitive operations. Remote desktop sessions can capture credentials, access files, and control systems in ways that most malware can only aspire to.
The AnyDesk breach followed similar incidents affecting other remote access tools. In October 2023, BeyondTrust and 1Password were compromised through Okta's support system breach. In February 2024 (just weeks after the AnyDesk disclosure), ConnectWise ScreenConnect was hit with CVE-2024-1709, a critical authentication bypass that was rapidly mass-exploited.
Credential Implications
The mandatory password reset for all my.anydesk.com users was a significant operational disruption, but it was the right call. The customer portal stores license information, connection logs, and potentially saved connection credentials. If the attackers accessed the backend systems for this portal, they could have harvested credentials that provide access to customer networks.
For organizations using AnyDesk, the password reset was just the first step. Security teams needed to:
- Rotate any credentials used in AnyDesk connection profiles
- Audit AnyDesk connection logs for unauthorized sessions during the compromise window
- Verify that installed AnyDesk binaries were signed with the new certificate
- Review whether unattended access configurations had been tampered with
- Consider whether AnyDesk sessions had been used to access other sensitive systems whose credentials now needed rotation
Lessons Learned
The AnyDesk breach reinforced several important principles for organizations that rely on third-party remote access tools.
First, code signing is a single point of failure that organizations rarely plan for. If a vendor's signing key is compromised, every binary they have ever signed needs to be re-evaluated. Organizations should have processes for responding to vendor certificate revocations, including the ability to quickly identify and replace affected software.
Second, remote access tools should be treated as critical infrastructure, not convenience software. They should be inventoried, monitored, updated promptly, and subject to the same security scrutiny as VPN appliances and other trust boundaries.
Third, vendor transparency matters. AnyDesk's initial communication was limited, and the gap between the actual breach and public disclosure frustrated customers and security teams who needed to assess their exposure. Organizations should factor vendor incident communication practices into their risk assessments when selecting remote access solutions.
How Safeguard.sh Helps
Safeguard.sh helps organizations track their entire software inventory, including remote access tools and their versions. When a vendor like AnyDesk discloses a breach and revokes certificates, Safeguard.sh can identify every instance of the affected software across your infrastructure, enabling rapid response. Our continuous monitoring alerts you to version changes, certificate anomalies, and newly published CVEs affecting your deployed software, ensuring that compromised tools do not linger in your environment while you conduct manual audits.