CERT-UA Warns of Cyber Scams Using Fake AnyDesk Requests for Fraudulent Security Audits
Summary:
The Ukrainian government's Computer Emergency Response Team (CERT-UA) has received several reports of unidentified actors falsely claiming to represent CERT-UA in an attempt to connect to victims’ systems via AnyDesk. These individuals impersonate CERT-UA, using its logo and the AnyDesk ID "1518341498" (which may change), and send requests to connect victims’ AnyDesk under the guise of a "security audit” to check the level of security. While CERT-UA may use remote access software, including AnyDesk, to assist cyber-protected facilities in addressing cyber incidents, the agency notes that such actions occur only after approval through previously agreed channels of interaction.
Security Officer Comments:
These types of attacks are only effective if the AnyDesk software is running on the targeted system and the actor has access to the victim’s AnyDesk ID. In this case, these IDs are likely compromised via means of social engineering or obtained via other computers from which remote access was once authorized. By remoting into the victim’s system via AnyDesk, this could enable the actors to steal other data of interest or even deploy malicious payloads for further persistence.
Suggested Corrections:
Recommendations from CERT-UA:
https://thehackernews.com/2025/01/cert-ua-warns-of-cyber-scams-using-fake.html
https://cert.gov.ua/article/6282069
The Ukrainian government's Computer Emergency Response Team (CERT-UA) has received several reports of unidentified actors falsely claiming to represent CERT-UA in an attempt to connect to victims’ systems via AnyDesk. These individuals impersonate CERT-UA, using its logo and the AnyDesk ID "1518341498" (which may change), and send requests to connect victims’ AnyDesk under the guise of a "security audit” to check the level of security. While CERT-UA may use remote access software, including AnyDesk, to assist cyber-protected facilities in addressing cyber incidents, the agency notes that such actions occur only after approval through previously agreed channels of interaction.
Security Officer Comments:
These types of attacks are only effective if the AnyDesk software is running on the targeted system and the actor has access to the victim’s AnyDesk ID. In this case, these IDs are likely compromised via means of social engineering or obtained via other computers from which remote access was once authorized. By remoting into the victim’s system via AnyDesk, this could enable the actors to steal other data of interest or even deploy malicious payloads for further persistence.
Suggested Corrections:
Recommendations from CERT-UA:
- Any remote access software should be enabled only for the duration of the session in which it is used.
- The fact of carrying out work that involves remote access must be personally agreed upon using existing communication channels.
- In case of detection of such anomalies, immediately inform the cyber defense units and, if necessary, CERT-UA in order to promptly take response measures.
https://thehackernews.com/2025/01/cert-ua-warns-of-cyber-scams-using-fake.html
https://cert.gov.ua/article/6282069