Hackers Exploit AnyDesk Impersonating CERT-UA to Launch Cyber-Attacks

Adversaries frequently leverage legitimate tools in their malicious campaigns. The popular AnyDesk remote utility has also been largely exploited by hackers for offensive purposes. Cyber defenders have unveiled the recent misuse of AnyDesk software to connect to targeted computers, masquerading the malicious efforts as CERT-UA activity.

Detect Cyber-Attacks Exploiting AnyDesk Based on CERT-UA Research

Adversaries often exploit remote management tools for malicious purposes. For instance, the Remote Utilities software has been extensively used in offensive campaigns targeting Ukraine. The latest CERT-UA alert sheds light on the misuse of another legitimate remote access tool, AnyDesk, which lures victims into leveraging the compromised tool under the false claim of conducting a security audit. SOC Prime Platform for collective cyber defense curates a relevant set of detection algorithms that help security engineers define which hosts are used by AnyDesk to minimize the risks of intrusions. Since adversaries know AnyDesk IDs and attempt to connect to hosts impersonating CERT-UA, SOC Prime offers the relevant SOC content to detect these instances with the IDs, which are potentially the targets.

Click the Explore Detections button to access the dedicated detection content items aligned with the MITRE ATT&CK® framework and enhanced with relevant threat intel and actionable metadata, like attack timelines, false-positive rates, and audit configuration recommendations. All detections are also compatible with the industry-leading SIEM, EDR, and Data Lake technologies to enable seamless cross-platform threat detection.

Explore Detections

AnyDesk Misuse: Cyber-Attack Analysis

CERT-UA researchers have received information about multiple adversary attempts to remotely connect to targeted instances using the AnyDesk application, allegedly on behalf of CERT-UA.

According to the research, attackers send connection requests via AnyDesk disguised as a security audit to verify protection levels fraudulently claiming to be on behalf of CERT-UA, exploiting the CERT-UA logo and the AnyDesk ID “1518341498,” which may vary in diverse incidents.

Notably, the CERT-UA team may use remote access tools, including AnyDesk, in certain cases to help organizations protect their cybersecurity assets. This includes providing activities to prevent, detect, and mitigate the consequences of cyber incidents. However, these operations are only conducted after prior agreement via pre-established communication channels.

In the latest malicious campaign, attackers apply social engineering techniques that exploit trust and authority. These cyber-attacks exploiting AnyDesk can be successful if adversaries have access to the victim’s AnyDesk ID and provided that the impacted computer has functional AnyDesk software installed. Additionally, this may indicate that the targeted AnyDesk ID was likely compromised under other circumstances, including the exploitation of other systems from which remote access was previously authorized by adversaries.

To reduce the risks of AnyDesk exploitation, CERT-UA prompts users to remain vigilant and ensure that remote access tools are enabled only during active sessions and that any operations involving remote access are personally agreed upon via established communication channels. It is also highly recommended that organizations apply a proactive defense strategy to spot any traces of suspicious behavior in a timely manner. If organizations rely on AnyDesk, they should proactively detect hosts used by this remote utility to minimize the risks of unauthorized remote access. SOC Prime Platform for collective cyber defense equips security teams with a complete product suite for future-proof cyber defense, offering advanced threat detection, automated threat hunting, and intelligence-driven detection engineering to help organizations always stay one step ahead of adversaries.

MITRE ATT&CK Context

To gain a deeper context of the latest attacks purportedly acting on behalf of CERT-UA, check out a set of Sigma rules that can help identify hosts leveraging AnyDesk. Relying on MITRE ATT&CK can also improve visibility into behavioral patterns associated with malicious activities involving AnyDesk to impersonate CERT-UA.

Tactics	Techniques	Sigma Rule
Command and Control	Remote Access Software (T1219)	Possible Hidden AnyDesk Install (via cmdline)
		Alternative Remote Access Software (via process_creation)
		Possible Command and Control Activity by Remote Access Software Domain Communication Attempt (via dns)
		Alternative Remote Access Software (via system)
		Alternative Remote Access Software (via audit)
		Possible RMM Software Installation Attempt Using MsiInstaller (via application logs)

The post Hackers Exploit AnyDesk Impersonating CERT-UA to Launch Cyber-Attacks appeared first on SOC Prime.

Detect Cyber-Attacks Exploiting AnyDesk Based on CERT-UA Research

AnyDesk Misuse: Cyber-Attack Analysis

MITRE ATT&CK Context

Related Posts

Detect CVE-2024-38112 Exploitation by Void Banshee APT in Zero-Day Attacks Targeting Windows Users

Creating Macros for Code Reuse in Splunk

SOC Prime Threat Bounty Digest — January 2024 Results

Lumma Stealer Malware Detection: Hackers Abuse YouTube Channels to Spread a Malware Variant