AnyDesk confirms server breach, urging password reset

In a week marked by cybersecurity disclosures, notable incidents included breaches affecting remote desktop software provider AnyDesk and internet infrastructure company Cloudflare, alongside vulnerabilities impacting decentralized social network Mastodon, banking trojan Mispadu targeting Windows users, and critical flaws in Cisco’s Expressway Series gateways. These incidents highlight a range of threats, from software breaches and vulnerabilities to targeted attacks on infrastructure and social networks, underscoring the importance of proactive security measures and prompt patching to mitigate risks. 

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats. 

1. Cloudflare experiences security breach: hacked using auth tokens stolen in Okta attack

Cloudflare disclosed a presumed nation-state attack that exploited compromised credentials to illicitly access its Atlassian server, occurring from November 14 to 24, 2023. The breach resulted in unauthorized access to certain documentation and a limited portion of the source code, with approximately 120 code repositories observed, and an estimated 76 being exfiltrated by the attacker.  

During the incident, a four-day reconnaissance phase was executed, culminating in the establishment of a rogue Atlassian user account and eventual access to the Bitbucket source code management system. Cloudflare attributed the breach to authentication tokens stolen in the Okta support case management system hack from October 2023 and implemented various security measures, including rotating over 5,000 production credentials and conducting forensic evaluations on 4,893 systems, to address the breach.

2. AnyDesk’s security alert on production server breach and password reset 

AnyDesk, a renowned remote desktop software provider, disclosed a cyber attack resulting in the breach of its production systems, confirmed during a security audit, although ransomware was not involved. The incident led to the theft of source code and private code signing keys, prompting the company to engage cybersecurity experts for assistance. While AnyDesk reassured users that the breach had no impact on end-user devices and the software remains safe, they revoked all passwords to their web portal as a precautionary measure and recommended users update their passwords.  

AnyDesk swiftly replaced compromised code signing certificates with a new certificate, verified by the release of version 8.0.8 on January 29, aiming to ensure software integrity and security. Despite the company’s proactive measures, users are advised to upgrade to the latest software version and reset passwords. Recommendations include immediate detection, isolation, password reset, access revocation, certificate replacement, and engagement of cybersecurity professionals for assistance. 

3. Mastodon vulnerability allows hackers to hijack any decentralized account

Mastodon, the decentralized social network, recently disclosed a critical security flaw, CVE-2024-23832, allowing malicious entities to impersonate and seize control of user accounts due to insufficient origin validation across its instances. Rated 9.4 out of 10 in severity, this vulnerability impacts versions preceding 3.5.17, 4.0.13, and 4.1.13, but has been resolved in the latest release, 4.2.5, introduced recently. Administrators are strongly advised to promptly update servers to mitigate risks, with a deadline set by mid-February.  

Mastodon’s proactive measures include notifying server admins and committing to share further details on February 15, 2024. This incident recalls a past vulnerability, ‘TootRoot,’ underscoring the continual need for robust security measures to protect user trust and platform integrity. Recommendations emphasize the urgency of updates, transparent communication with users, and prioritization of security measures to prevent exploitation and ensure the ongoing security of the Mastodon ecosystem. 

4. Latest Mispadu banking Trojan leveraging Windows SmartScreen vulnerability

The Mispadu banking Trojan has resurfaced, exploiting a previously patched security bypass flaw in Windows SmartScreen, CVE-2023-36025, to compromise users, particularly in the Latin American (LATAM) region. Utilizing phishing emails, Mispadu, a Delphi-based information stealer, has been active since at least 2019, with recent attacks demonstrating a variant. This variant employs malicious internet shortcut files hidden within deceptive ZIP archives, leveraging the aforementioned vulnerability to evade SmartScreen warnings.  

Mispadu’s modus operandi involves selective targeting based on victims’ geographical location and system configurations, establishing communication with a command-and-control (C2) server for data exfiltration. Security recommendations include immediate application of the Microsoft patch, strengthening email and URL filtering, deploying advanced threat detection tools, and conducting targeted user awareness training to mitigate risks associated with such attack tactics. 

5. Critical Cisco vulnerabilities exposes Expressway Gateways to CSRF attacks

Cisco has swiftly addressed three vulnerabilities affecting its Expressway Series collaboration gateways, two of which are rated as critical severity, potentially exposing vulnerable devices to cross-site request forgery (CSRF) attacks. These vulnerabilities, CVE-2024-20252 and CVE-2024-20254, impact unpatched Expressway gateways, allowing remote exploitation with user privilege levels, potentially leading to system configuration modifications and creation of new privileged accounts.  

Additionally, the CSRF vulnerability identified as CVE-2024-20255 could lead to denial-of-service conditions. Notably, these vulnerabilities impact Cisco Expressway Series devices in default configurations, emphasizing the importance of immediate patching. However, Cisco has announced that it will not provide security updates for the Cisco TelePresence Video Communication Server (VCS) gateway, as it reached its end-of-support date on December 31, 2023.