TT-CSIRT-4188.8.131.52: Beware of AnyDesk for Remote Connection
The Trinidad and Tobago Cyber Security Response Team has observed an increase in the usage of AnyDesk for unauthorized/malicious remote connections, especially in ransomware incidents. We advise our constituents to exercise caution when using this software and be aware of its use within your organization as it could potentially lead to unauthorized access, data breaches, and other security risks. In this advisory, we provide guidance on how to prevent the use of AnyDesk and other remote connection software to enhance the security of your organization.
Why is AnyDesk a Security Risk?
AnyDesk is a remote desktop software that allows users to access and control a remote computer from anywhere. While this software is useful for remote work and technical support, it can also be exploited by cybercriminals for malicious purposes, such as stealing confidential information, installing malware, and launching ransomware attacks.
Cybercriminals often use AnyDesk to gain remote access to a victim’s computer, transfer files, execute payloads that encrypt the host’s files, and demand a ransom for decryption. These attacks can cause significant downtime, financial loss and reputational damage to an organization. Attackers are also able to mask their identities since network connections will have AnyDesk source addresses. It is, therefore, essential to take proactive measures to prevent the use of AnyDesk and other similar software when there is no use case.
How to Prevent the Use of AnyDesk and Other Remote Connection Software
- Implement a Remote Access Policy:
Organizations should establish a remote access policy that defines the rules and requirements for using remote connection software. The policy should specify who is allowed to use remote access, what type of software is permitted, and under what conditions. It should also include guidelines for securing remote connections and monitoring access activities.
- Limit Access:
Only allow users who have a legitimate business need to access remote connection software. Limit access to specific individuals or groups, and require strong authentication methods, such as multi-factor authentication (MFA), to verify their identity. This will reduce the risk of unauthorized access and prevent cybercriminals from gaining a foothold in your network.
- Block AnyDesk and Other Remote Connection Software:
Organizations should consider blocking AnyDesk and other remote connection software from their network. This can be done by creating firewall rules that block inbound and outbound traffic to specific ports and IP addresses associated with the software. This restriction is strongly advised unless there is a use case for it and it is being monitored to detect usage violations.
- Use Endpoint Security Software:
Employing robust security software such as antivirus, anti-malware, and intrusion detection systems will help to detect and prevent unauthorized access. It is essential to keep these tools up-to-date to ensure they can detect the latest threats.
- Educate Employees:
Regularly train employees on how to identify and respond to security threats. Provide them with guidance on how to identify phishing emails and suspicious attachments. Encourage them to report any suspicious activity to the IT department.
The use of AnyDesk and other remote connection software poses significant security risks. It is essential to implement a remote access policy, limit access, block unauthorized software, and educate employees to reduce the risk of cyberattacks. By taking these steps, organizations can enhance their security posture and protect themselves against ransomware and other threats.
Stay safe and secure!