Machine Translated by Google

PREMIER MINISTRE

SGDSN Paris, February 5, 2024

Agence nationale N° CERTFR-2024-ALE-003
of the security
systems d'information

Contact us by: CERT-FR

BULLETIN D'ALERTE DU CERT-FR

Objet: Incident affectant les solutions AnyDesk

Gestion du document

Reference CERTFR-2024-ALE-003
Titre Incident affectant les solutions AnyDesk
Date of the first version 05 February 2024
Date of the latest version 05 February 2024

Source(s) Communicate with the AnyDesk editor on February 2, 2024

Piece(s) joint(s) Aucune(s)
Tableau 1: Documentation

A detailed version of the version will appear at the end of this document.

Resque(s)

Please control the distance from a malveillant actor

Systems affected

All logic products from the AnyDesk community (Windows, Linux, MacOs, Android, iOS,
AppleTV, etc.)

For Windows installable and portable versions that have an antenna signal of versions 8.0.8;

For other versions, ANSSI includes more information and invite you to

General security and national security – ANSSI – CERT-FR

51, bd de La Tour-Maubourg Web: Tel.:https://www.cert.ssi.gouv.fr
+33 1 71 75 84 68
75700 Paris 07 SP Mail: [email protected]
Fax: N/A
Machine Translated by Google

rester attentif aux futures communications.

Resume

On January 29, 2024, ANSSI was alerted by BSI that the AnyDesk Software GmbH editor had
become a victim of a donation. The source code for the applications developed by the editor
also includes the certificates and privileges to receive them.

The editor is specialized in the development of office software solutions at a distance

using utilities to assist at a distance of users, server administrators, the teleport or encore the
rebond from resources in an enterprise not accessible to the public. The AnyDesk solutions
contain a large spectrum of exploitation systems: Linux, Windows, MacOS, Android, iOS,
AppleTV, etc.

From the enterprise, the exfiltration données for effective improvements are used in the cadre
of multi-attachments that support the utilisateurs of the AnyDesk solutions. The editor will
use these items that are sensitive to:

Viser to enable the security of the infrastructure of communication between

users of AnyDesk, for example by searching for attachments of the type of home
network/attachment of the interface (Meddler in the Middle/Man in the Middle);
Visit the different softwares published by the enterprise or identified as products
by the enterprise.

The CERT-FR cannot be confirmed, at this stage, the vraisemblance or the complexité of the
mise in the telles attachments. Toutefois, in view of the nature of this type of software
solutions and the operating conditions, the computer changes between the users or the
piégeage application to serve the entry point across the information systems.

Mesures conservatoires

When an attendant disposes of compiled information, the CERT-FR recommends meeting

other actions related to it:

1. Identifier and referrer on your information systems with any AnyDesk solutions
Install (it should also be used to verify the mobile device in the device):
To help identify these machines, more methods are proposed in the section
“Identifier and reference on your information systems in the employees of
AnyDesk”,
This one has a real idea, so many more results to facilitate more effective future
investigations;
2. Identifier If the installation of this application is installed in the operating room, it
is valid and valid on your home network;
3. Identifies the sensitivity of machines, posts, servers returned to these outlets and
There are many different associations to the employees;
4. Click on the application risk cadre to determine the impact that you want to receive.
Scénario d'incident impliquant une potentielle compromission d'une ou plusieurs de
ces machines;
5. The function of your application of risks, and also the anticipator of future effective
data levels, procedures and met sous séquestre un relevé d'investigation numbers
sur l'ensemble des machines concernées:
If this is not the case with the global façon, ANSSI recommends starting it.

Page 2 / 6
Machine Translated by Google

les machines les plus critiques,

See the section “Collectes preventives”;
6. The function of your application of different risks and contraintes:
Check the installation of the AnyDesk solution and use an alternative solution,

For Windows environments, the developer used the solution AnyDesk in

version 8.0.8 (the problem was to install a charger on the official website https://
anydesk.com),
For other versions, the ANSSI is in the attachment of more information and you
are invited to stay in the future for future misfortunes to the editor's publishers,
The location of the park is migrated to this new version, and in the most convenient
way, to detect/block all application signs with the certificate.
fingerprint: 9cd1ddb78ed05282353b20cdfe8fa0a4fb6c1ece
serial: 0dbf152deaf0b981a8a938d53f769db8
lundi 13 December 2021 01:00:00
June 9, 2025 00:59:59
CN = Philandro Software GmbH
O = Philandro Software GmbH
L = Stuttgart
S = Baden-WürttembergC = DE

7. Find all the activities that appear on the computer and on the origin of these machines.
12/20/2023
In this case, please call for a pre-qualified response to security incidents (PRIS)

Identifier and referrer from any desktop's operating system to

the information system

To identify all machines that are sensitive to correcting the AnyDesk solution, it is
possible to combine more methods:

This place is fresh

At home, the machine identifies all connections as follows:

*.net.anydesk.com

Our new system

One of these observables can indicate the presence of any desk

Windows

It is possible to use the ANSSI FastFind outlet which is included in this publication and
accessed by Windows. Please note that the necessary items that have been purchased
through the existing outils of the SI (Part ex. outils from the park, EDR, etc.).

Télécharger l'outil FastFind

The presence of the relevant files:

Page 3 / 6
Machine Translated by Google

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\AnyDesk.lnk

C:\Windows\Prefetch\ANYDESK.EXE-[A-F0-9]{8}.pf

(Pour appel il existe également une portable version de l'application)

It is possible to verify the presence of your registration records:

HKLM\SYSTEM\ControlSet001\Services\AnyDesk

HKLM\SOFTWARE\Clients\Media\AnyDesk

HKLM\SOFTWARE\Classes\.anydesk\shell\open\command

From the Windows pages that search for the creation of service 7045 ci-dessous:
ImagePath:"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe" –service ServiceName:"AnyDesk Service"

ServiceType:"service in utility mode",StartType:"automatic recovery"

All these logic signals are certified

fingerprint: 9cd1ddb78ed05282353b20cdfe8fa0a4fb6c1ece serial:
0dbf152deaf0b981a8a938d53f769db8 lundi December 13 2021
01:00:00 next January 9 2025 00:59:59

CN = Philandro Software GmbH

O = Philandro Software GmbH
L = Stuttgart
S = Baden-WürttembergC = DE

Linux

The presence of the relevant files:

/etc/systemd/system/anydesk.service

/usr/bin/anydesk

/usr/lib64/anydesk

/usr/libexec/anydesk

/usr/bin/anydesk

/home/*/.anydesk/

MacOS

The presence of the relevant files:

~/.anydesk/system.conf

~/.anydesk/service.conf

~/.anydesk/user.conf

Page 4 / 6
Machine Translated by Google

And the presentation of the application

/Applications/Anydesk.app/

Collects preventives

One of the real innovation fois and even, in the best possible way, the facililiter of the most effective futures
doutes, l'ANSSI recommends that sous séquestre a minimum of the most suitable elements, before the procéder
in the montée of this version. 'application. There is suspicion of the procéder in his analysis.

Journey to collect
journaux system des machines concernées; journaux
applications des solutions AnyDesk; Includes special
features in the application for a Windows environment
%APPDATA%\AnyDesk\ad.trace # log interface utilisateur

%PROGRAMDATA%\AnyDesk\ad_svc.trace # logs de service

%PROGRAMDATA%\AnyDesk\connection_trace.txt # logs of connection entrants

Specifications in the application for a Linux environment

/home/*/.anydesk/.anydesk.trace

/home/*/.anydesk/anydesk.trace

/root/*/.anydesk/.anydesk.trace

/root/*/.anydesk/anydesk.trace

/var/log/anydesk.trace

/etc/anydesk/connection_trace.txt

Includes special features in the application for a MacOS environment

~/.anydesk/anydesk.trace

~/.anydesk/connection_trace.txt

Leave your room with the machines that concern you.

Documentation

Communicate with the AnyDesk editor on February 2, 2024

https://anydesk.com/en/
public-statement Bonus reflexes in the injection
https://www.cert.ssi.gouv.fr/les-bons-reflexes-en-cas-dintrusion-sur-un-systeme-dinformation/

Gestion detail of the document

the 05 February 2024

Version initiale

Conditions for use in this document: https://www.cert.ssi.gouv.fr

Page 5 / 6
Machine Translated by Google

Newer version of this document: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/

Page 6 / 6