AnyDesk Incident - Airlock Digital Customer Guidance

AnyDesk Incident
Airlock Digital Customer Guidance

 

This blog provides guidance for Airlock Digital customers regarding the AnyDesk security incident.

On the 2nd of February 2024, AnyDesk publicly disclosed a security incident https://anydesk.com/en/public-statement.

As a result of the incident, AnyDesk has replaced the digital certificates they use to sign code. This can be seen in the AnyDesk software change log here: https://download.anydesk.com/changelog.txt 

While AnyDesk has stated in their announcement that the software is safe to use, their action of revoking code signing certificates suggests that their existing certificates were likely compromised and should no longer be trusted.

The AnyDesk publisher/certificate name is philandro Software GmbH.

Customers that do not trust AnyDesk Publishers (Airlock Digital - All Versions)

Airlock Digital customers that do not trust the AnyDesk publisher within policy and are in enforcement mode require no action, as all code signed by ‘philandro Software GmbH’ will be proactively blocked through the nature of Allowlisting. 

Customers that trust AnyDesk publishers (Airlock Digital - v5.2+)

Airlock Digital customers that trust the AnyDesk publisher within policy and are running Airlock Digital v5.2+ (server and client) can block the original code signing certificate using a Blocklist Metadata rule.

This can be performed by copying the following Blocklist Metadata rule into an XML file and selecting ‘Import Blocklist XML Package’ within the Airlock Digital server.  This blocklist can then be audited and enabled within policies as desired.

<?xml version="1.0" encoding="utf-8"?>
<BlocklistExport>
    <ExportName><![CDATA[Anydesk]]></ExportName>
    <Timestamp>1706932497</Timestamp>
    <ResultsSection>
        <metarule>
            <name><![CDATA[anydesk tbs]]></name>
            <os><![CDATA[windows]]></os>
            <criteria>
                <field>tbshash</field>
                <operation>match</operation>
                <value>d3755c298d93003b7cac9ecb28e268d2216aac35d46684745122df38a84be720</value>
                <realvalue>d3755c298d93003b7cac9ecb28e268d2216aac35d46684745122df38a84be720</realvalue>
            </criteria>
        </metarule>
    </ResultsSection>
</BlocklistExport>

The above Blocklist Metadata rule blocks the ‘philandro Software GmbH’ To Be Signed (TBS) certificate hash value. This prevents any file signed by the original certificate from running.

Customers that trust AnyDesk publishers (Airlock Digital - v5.1 and lower)

Airlock Digital customers who trust the AnyDesk publisher within policy and are running Airlock Digital v5.2 or lower can block the main AnyDesk executable using version rules. 

This can be done by creating a blocklisting rule as follows: 

First Condition: File Description - Exact Match - AnyDesk
Secondary Condition: File Version - Less Than - 8.0.8

NOTE: Airlock Digital customers that rely on AnyDesk’s auto-updating functionality should consider blocking the untrusted certificate/file(s) after upgrades to the latest version of AnyDesk have been performed. This may help ensure that upgrade attempts are not blocked.

Please note that the Blocklist Metadata rules above will take precedence over all trust types, including if AnyDesk files are trusted by hash or path rules.

 

For more information, please reach out
to Airlock Digital via support@airlockdigital.com