AnyDesk breach highlights need for remote access vigilance

The recent AnyDesk breach provides a timely reminder to ensure organizations are following best practices regarding remote access software and services — both third-party tools and the features or services embedded in operating systems, browsers and more.

The maker of AnyDesk forced a password reset for all users after it found 18,000 user credentials for sale on the dark web for $15,000. The breach potentially exposed AnyDesk customers’ license keys, a number of active connections, duration of sessions, customer IDs and contact information, email associated with the account, and the total number of hosts that have remote access management software activated.

This breach is yet another reminder of the many threats that organizations face from remote access software and services. In the months leading up to the attack, security research labs observed an uptick in threat activity targeting and abusing these tools and services — and many predict this trend will likely continue through 2024 and beyond.

Remote access tool vs. remote access trojan

IT support teams rely on AnyDesk for remote control, file transfer and VPN functionality. It’s a useful tool to troubleshoot issues, perform maintenance and install patches. Unfortunately, attackers also find huge value in these remote access tools, which serve the same purpose as a remote access trojan.

Like other remote access software, AnyDesk is often used by adversaries to carry out attacks. To take control of a company’s internal network, attackers like the Conti ransomware group are known to connect AnyDesk with Cobalt Strike in an attack attempt.

Attackers use these remote access tools to target users in tech support scams. The attacker impersonates corporate or legitimate software support staff with the goal of convincing users to install or allow the remote access tool. The attacker then takes control of the machine to install malware. Once attackers have achieved a beachhead, they can then use the breached organization’s legitimate remote access tools to blend malicious activity into regular network traffic, making it both easier to spread and more difficult to detect.

External remote services

Similar to remote access software, external remote services are common in operating systems and browsers with services like Windows Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), X11 Forwarding over SSH and XRDP (an open-source implementation of Microsoft’s RDP that allows users to graphically control a remote machine with a Linux operating system from a Windows machine using the native Windows RDP client).

Like remote access software, these services are targets for brute force attacks and credential theft. Once inside a network, attackers use RDP or other external remote services to move laterally to other systems, escalate their privileges, and compromise additional resources. Both tools can be incredibly useful for organizations, but in the hands of attackers they represent a significant threat. As attackers refine their tactics, securing them is increasingly critical. 

Remote access best practices

While an organization’s IT support team likely won’t let security leaders eliminate all use of remote access tools and external remote services, security teams should familiarize themselves with the following best practices:

Implement application whitelisting: 

Utilize application control solutions like AppLocker to create a whitelist of approved software. By default, block all applications not explicitly approved, ensuring that unauthorized remote control software cannot be installed or run on any system within the network.

Block control servers at the network perimeter: 

Configure the organization’s proxy or web gateway to block access to known control servers used by popular remote control software vendors. This step prevents remote control software from connecting to their servers for updates or remote access functionalities.

Integrate alerts into SIEM systems: 

Enhance the Security Information and Event Management (SIEM) system to generate alerts for any attempt to access known remote control servers or when unauthorized software is detected on key systems. This allows for immediate detection and response to potential security incidents.

Monitor and control network traffic: 

Regularly review network traffic logs for any unusual patterns or connections to known remote control servers. Use network segmentation and firewall policies to restrict unnecessary outbound connections.

Educate and train employees: 

Conduct regular security awareness training for all employees to highlight the risks associated with unauthorized remote control software. Educate them on the proper use of approved applications and the importance of following company security policies.

Managed exceptions: 

In cases where the use of specific remote control software is required for legitimate business purposes, establish a controlled process for granting exceptions. This process should include obtaining approval from the IT security team, documenting the justification for the exception, and limiting the software’s use to specific devices or users under strict monitoring.

The AnyDesk breach is just one example of many, demonstrating that while IT support teams may think they have their bearings when it comes to understanding their exposure, that often isn’t the case. It’s no longer enough to rely on reactive security measures — a proactive, security validation approach is critical.