Cybersecurity researchers from Sophos’ X-Ops incident response team have observed hackers deploying an unusual social engineering tactic to gain access to victims’ systems and steal sensitive data.
The team described how a new ransomware called Mad Liberator emerged in mid-July 2024, primarily focused on data exfiltration (rather than system encryption) but also sometimes engaging in double extortion (encryption + data theft). It also has a data leak website where it threatens to publish stolen data unless victims pay.
What sets Mad Liberator apart from other threat actors is its initial access vector. Typically, hacking groups found their way in, usually via phishing emails or instant messaging services. In this case, however, it appears that they “guessed” Anydesk’s unique identifier.
Abuse of legitimate software
Anydesk is a legitimate remote desktop application used by thousands of companies worldwide. Each device on which Anydesk is installed is given a unique identifier, a 10-digit number, which other endpoints can “dial” and thus gain access. Interestingly, one day the attackers simply dialed the access number to one of the computers belonging to the victim organization, apparently without any prior interaction. The attacked computer also does not belong to any high-profile employee or manager.
The victim simply assumed that the IT department was performing regular maintenance, so he accepted the call without asking questions.
This gave the attackers unrestricted access, which they used to deploy a binary that, at first glance, looks like a Windows update. They also disabled input from the victim's keyboard, to ensure that they wouldn't detect the ruse by accidentally hitting the Esc key and minimizing the running program.
After a few hours, the criminals managed to extract sensitive data from the device, connected to cloud services and searched for other connected devices they could exploit.
Once again, “assume nothing, suspect everything” proves to be the right mindset for staying safe in the workplace.