Software firm AnyDesk disclosed a security breach
Remote desktop software company AnyDesk announced on Friday that threat actors had access to its production systems.
The security breach was discovered as a result of a security audit, the company immediately notified relevant authorities. AnyDesk did not reveal if it has suffered a data breach.
In response to the security breach, the company revoked all security-related certificates and systems have been remediated or replaced where necessary. The company is going to revoke the existing code signing certificate used to sign its binaries.
As a precaution, the company also revoked all passwords to the web portal my.anydesk.com, and recommended that users change their passwords if the same credentials are used elsewhere.
Analysis from our SOC team
The extent of data compromise remains undisclosed, especially that cybersecurity experts at Resecurity firm found threat actors selling a lot of AnyDesk customer usernames and passwords on the Dark Web.
As an AnyDesk customer, it is highly recommended to follow these mitigation measures:
– Quickly change your AnyDesk passwords
– Use AnyDesk’s whitelisting feature to allow only trusted devices to be authorized to your AnyDesk namespace
– Use multifactor authentication (MFA)
– Monitor unexpected password and MFA changes for customer accounts, suspicious sessions and possible emails sent on behalf of other entities referencing AnyDesk account information
JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances.
The vulnerability, tracked as CVE-2024-23917, carries a CVSS rating of 9.8 out of 10, indicative of its severity.
“The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” the company said.
The issue impacts all TeamCity On-Premises versions from 2017.1 through 2023.11.2. It has been addressed in version 2023.11.3.
Analysis from our SOC team
The potential for unauthenticated attackers to gain administrative control without needing valid credentials underscores the urgency of patching.
Organizations must prioritize updating to version 2023.11.3 to mitigate the risk of exploitation and ensure the security of their CI/CD pipelines.
If updating isn’t possible, JetBrains also released a security patch plugin that’s available for download and can be installed on TeamCity versions 2017.1 through 2023.11.2. You can find more information about it on the TeamCity Blog.
A novel stealer malware called “Ov3r_Stealer” is making the rounds on Facebook, spreading through job ads and accounts on the social media platform, and using various execution methods to steal reams of data from unwitting victims.
The malware by design exfiltrates specific types of data such as geolocation (based on IP), hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Office documents, and antivirus product information, according to researchers from Trustwave SpiderLabs. It sends the info a Telegram channel being monitored by the threat actors.
Though Trustwave has not yet seen wide-ranging campaigns using this malware, the researchers believe it remains under continual development and continues to pose an existing threat.
Analysis from our SOC team
While widespread campaigns using this malware have not been observed, its ongoing development poses a persistent threat.
Security awareness is key here, in order to help people spot malicious campaigns on social media and other attacker strategies. Threat hunting throughout organizations environment can help detecting compromissions before they have time to do damage.
Trustwave’s included a comprehensive list of indicators of compromise (IoCs) in their report to help organizations identify Ov3r_Stealer’s presence in their environment. You can find the report here.
Suspicious text messages (smishing) targeting CSAM are currently circulating.
As a reminder, CSAM is the platform managed by FPS BOSA that allows citizens to use identification keys to access various online government services.
The fraudulent text message invites you to enter your account details through a link to get a refund. This, of course, is a scam. Do not click on the link.
Analysis from our SOC team
The tips described in the article is what we would like to emphasize on as well. Do not click on a link in a suspicious message, do not open attachments and do not download applications if you are asked to do so.
If you have been swindled, we advise you to report it to the police and contact your bank and/or Card Stop.
Suspicious text messages and emails can be forwarded to any of the three email addresses from Safeonweb.
– verdacht@safeonweb.be
– suspect@safeonweb.be
– suspicious@safeonweb.be
Our SOC is also available to assist in case there are any doubts or suspicions about text or mail messages.
