Deepfakes all the way down | AnyDesk security breach feels like SolarWinds
CyberInsights #128 - Payout of $ 25 million on a deepfake video call | Popular desktop remote software breached in a possible code signing attack
Deepfake video call results in $ 25 million loss
Turns out everyone on the call, except for the scammed, was a deepfake
This article on CNN brings out the risks of deepfakes. [LINK]
Imagine attending a call with your CFO and a bunch of your colleagues and agreeing to make a payment of $25 million. Then, it turns out that your CFO was a deepfake video. Not only that, all your colleagues on the call were deepfakes.
You were the only ‘human’ on the call!
I have written about deepfakes a couple of times in 2023:
and here:
This one, however, is another level. An evolved strategy designed to scam even the most cyber aware employee.
Read this piece from the article:
“Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.”
Kudos to the infosec and training teams! That worked. The employee was aware.
What did not work was the fact that this employee, without a maker-checker control in place, was allowed to do a ‘secret’ transaction for the deepfake CFO.
Where are your financial controls, duh?
The deepfake problem is not just affecting corporates, but also individuals. Check out this post on the Wired about the porn problem caused by deepfakes. [LINK]
Take Action:
First, update your awareness presentations to include awareness of deepfake videos and the scams. The problem is growing fast. The images are no longer grainy and easily recognisable. Awareness is the first step.
Second, ensure financial transactions above a particular level follow the four eyes principle. The scammer should have to scam two people at different levels of hierarchy to get out money from the system. That’s financial control 101!
After breach, AnyDesk change their code signing certificates
It’s feels just like SolarWinds and SunBurst.
Remote Desktop software AnyDesk reported a breach. [LINK]
While their official line tries hard to play it down, it is difficult not to get worried. One part in particular:
“We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”
That’s where a cybersecurity professional is all ears. Code signing, you say? Where have I heard that before? Yess, it was SolarWinds.
We had written about it in 2020:
and again in 2023:
What is it about code signing that raises a red flag?
Every organisation that creates a binary (crudely put, an executable file from the source code) and allows people to download it must ‘sign’ the binary using their private key. This can be compared with the public key from official sources to ensure that the binary has not been tampered with.
If an attacker can get hold of the private key used for signing binaries, then they can upload malicious executables for download, signed by the manufacturers key, and the AV will not detect the malicious code as it is officially signed.
So, when AnyDesk say they have changed the private key for code signing, it most likely means that the private key has been compromised and many users could have downloaded malicious binaries of AnyDesk. Read this on The Register [LINK]
Take Action:
The more time you spend in cybersecurity, the more you realise that its always the basics.
Check the following:
How is your deployment pipeline being secured?
How do you protect your private keys used for code signing?
Can your incident response strategy handle a bunch of your customers who have downloaded malicious software signed by your private key?