Cybersecurity researchers from the Sophos X-Ops Incident Response team have seen hackers use an unusual social engineering tactic to gain access to victims’ systems and steal sensitive data.
The team outlined how a new ransomware actor called Mad Liberator emerged in mid-July 2024, primarily focused on data exfiltration (rather than system encryption), but also occasionally engaged in double extortion (encryption + data theft). It also has a data breach website where it threatens to publish the stolen data if victims don’t pay up.
What sets Mad Liberator apart from other threat actors is their initial vector of entry. Typically, hacker groups would gain access via phishing email or instant messaging services. In this case, however, they appear to have “guessed” the unique Anydesk identifier.
Abusing legitimate software
Anydesk is a legitimate remote desktop application used by thousands of companies worldwide. Each device Anydesk is installed on is given a unique identifier, a 10-digit number, that other endpoints can “call” and gain access. Oddly enough, one day the attackers simply dialed into one of the victim organization’s computers, seemingly without any prior interaction. The targeted computer also does not belong to a high-profile employee or manager.
The victim assumed the IT department was performing regular maintenance and accepted the dial-up connection without asking questions.
This gave the attackers unrestricted access, which they used to deploy a binary that at first glance looks like a Windows update. They also disabled keyboard input on the victim’s part, making sure they didn’t detect the ruse by accidentally hitting the Esc key and minimizing the running program.
After a few hours, the criminals managed to extract sensitive data from the device, connect to cloud services, and scan for other connected devices they could potentially access.
Once again, it turns out that “assume nothing, suspect everything” is the right mindset to stay safe in the workplace.