Remote Access Tool -AnyDesk Execution With Known Revoked Signing Certificate

Introduction

In the world of cybersecurity, contributions come in various forms. One such contribution is the creation of rules that enhance the security of applications. This blog post discusses a pull request made to SigmaHQ that added a new rule to detect the execution of the AnyDesk application signed with a known compromised certificate.

The Importance of the Rule

The importance of this rule is underscored by a recent security incident involving AnyDesk. A security audit revealed evidence of compromised production systems.

AnyDesk Vulnerability: The author found out that AnyDesk did not check the validity of the signing certificate of the executable files it downloaded and ran on the remote system. This meant that an attacker could use a revoked certificate that was previously used by AnyDesk to sign a malicious executable and trick the remote system into running it.

Exploitation Steps: The attacker used a tool called SigThief to steal the revoked certificate from an older version of AnyDesk and embed it into his malicious payload. He then set up a fake update server and redirected the DNS requests of the remote system to his server using a tool called Responder. He also modified the update configuration file of AnyDesk to point to his server. When the remote system checked for updates, it downloaded and ran the malicious payload signed with the revoked certificate, without any warning or prompt.

In response to the incident, Anydesk said all security-related certificates were revoked, and systems were remediated or replaced where necessary. The previous code signing certificate for binaries is being revoked and replaced with a new one. As a precaution, all passwords to the web portal, my.anydesk.com, are being revoked, and users are recommended to change their passwords if the same credentials are used elsewhere.

To date, there is no evidence that any end-user devices have been affected. The situation is under control, and it is safe to use AnyDesk, provided that the latest version with the new code signing certificate is used.

This rule is particularly important for SOC analysts and threat hunters. It allows them to detect instances of older versions of AnyDesk using the compromised certificate, thereby helping to prevent potential security breaches.

The Pull Request

The pull request introduced a new rule: “Remote Access Tool — AnyDesk Execution With Known Revoked Signing Certificate”. This rule detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. This rule is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

The Rule Details

The rule has the ID 41f407b5-3096-44ea-a74f-96d04fbc41be and is currently in an experimental status. It was authored by Sai Prashanth Pulisetti and Nasreddine Bencherchali from Nextron Systems on February 8, 2024. The rule is tagged with attack.execution and attack.initial_access.

The rule applies to Windows product logs in the category of process creation. It detects instances where the image ends with ‘\AnyDesk.exe’, and the description, product, and company are all ‘AnyDesk’. It also checks for file versions starting with ‘7.0.’, ‘7.1.’, and ‘8.0.1’ to ‘8.0.7’. The rule excludes command lines containing ’ — remove’ and ’ — uninstall’. The rule’s condition is that all selection criteria must be met and none of the filter criteria.

The rule is considered to have a medium level of severity, and false positives are unlikely.

Conclusion

This pull request was a rewarding experience, and it was gratifying to see it successfully merged. It served as a reminder of the importance of continuous learning and staying updated with the latest security threats.

A special thanks to Nasreddine Bencherchali (Nextron Systems) for his invaluable contributions to this rule. His expertise and dedication greatly enhanced the effectiveness of the rule.

I look forward to making more contributions in the future and helping to make our digital world a safer place.