The AnyDesk and ConnectWise Breach: What Actually Happened and Who Was Behind It

How Remote Access Became Load-Bearing Infrastructure

Remote access tools have become load-bearing infrastructure for modern business operations. Before the pandemic, remote desktop and remote support tools were used primarily by IT departments for internal support. The shift to hybrid and remote work between 2020 and 2023 normalized persistent remote access across virtually every business vertical — healthcare practices in the Texas Medical Center, energy companies along the Houston Ship Channel, law firms in downtown Houston, manufacturing operations in Conroe and Katy, logistics companies in Pearland and Pasadena.

AnyDesk claims over 170,000 customers and 500 million downloads globally. ConnectWise is used by more than 25,000 managed service providers worldwide — meaning its attack surface isn't just the companies that run ScreenConnect directly, but every client of every MSP that deploys it. Potentially millions of business endpoints are reachable through a single tool's vulnerability.

A Pattern the FBI Has Been Warning About

The FBI, CISA, and NSA have issued repeated joint advisories about the abuse of legitimate remote access software. In 2023, CISA published a guide specifically on the malicious use of remote monitoring and management (RMM) tools, noting that threat actors increasingly prefer living-off-the-land techniques — using trusted, signed software that bypasses endpoint detection — over deploying their own malware. AnyDesk and ConnectWise are both explicitly named in that advisory.

The pattern repeats with regularity. SolarWinds in 2020 — supply chain attack through IT management software. Kaseya VSA in 2021 — ransomware delivered through MSP remote management platform, affecting 1,500 businesses simultaneously. ConnectWise in 2024 — authentication bypass affecting tens of thousands of on-premises deployments. The tools that make IT management efficient are, by design, the most dangerous single points of failure in your security architecture.

What AnyDesk Disclosed — and What They Didn't

On February 2, 2024, AnyDesk GmbH published a security advisory disclosing that the company's production systems had been compromised. This was not a phishing attack against an employee or a misconfigured storage bucket — this was a breach of the core infrastructure that builds, signs, and distributes software running on hundreds of millions of endpoints worldwide.

AnyDesk's advisory described the incident as a "security audit" that "revealed evidence of compromised production systems." The company revoked all security-related certificates, rotated credentials, and released AnyDesk version 8.0.8 for Windows with a new code signing certificate. Users were urged to update immediately and change passwords.

What the initial advisory did not disclose — and what researchers subsequently uncovered — was the full scope of what was taken. According to Resecurity, which tracked the incident closely, threat actors were selling AnyDesk customer credentials on the dark web forum Exploit.in as early as January 2024, before AnyDesk's public disclosure. Resecurity identified over 18,317 AnyDesk customer account credentials being offered for sale at $15,000 for the full dataset.

The Stolen Code Signing Certificate

The stolen code signing certificate is arguably more severe than the credential exposure. Code signing certificates are the trust anchors of software distribution — operating systems, endpoint protection platforms, and application control tools use them to distinguish trusted software from untrusted software.

A malicious application signed with a stolen AnyDesk code signing certificate would appear legitimate to Windows SmartScreen, antivirus engines, and application allowlisting systems. Trojanized AnyDesk installers that pass signature verification while delivering malware payloads could be distributed through software repositories, phishing emails, and fake update notifications — and victims installing what they believe to be a legitimate AnyDesk update would be compromised with no obvious warning.

AnyDesk revoked the compromised certificate and issued a new one. But certificate revocation is not instantaneous across all environments, particularly in air-gapped or poorly managed networks. For any installations that occurred between the certificate compromise and revocation — a window that may have lasted weeks — the risk of trojanized software persists in already-installed binaries that were validated at install time.

18,317 Credentials and How Attackers Use Them

Dark web credential markets operate on a straightforward commercial model. AnyDesk credentials are particularly valuable because AnyDesk is predominantly used by businesses. The accounts attached to AnyDesk's systems belong to companies, IT departments, MSPs, and support operations. Purchasing one credential set may yield access to dozens or hundreds of endpoints managed through that account.

Credential stuffing — automating authentication attempts against AnyDesk and other services using the purchased list — is the most immediate attack. AnyDesk accounts using the same password as the victim's Microsoft 365, email, or other services become vectors for account takeover across multiple platforms simultaneously. Infostealer malware (RedLine, Vidar, Lumma, Raccoon Stealer) continuously replenishes this market by harvesting stored credentials, session tokens, and saved connection profiles from infected machines.

Two Separate Flaws, One Attack Chain

Separate from the production infrastructure breach, AnyDesk disclosed two significant Windows client vulnerabilities in December 2024. These represent software defects in the AnyDesk client application itself — not a compromise of AnyDesk's servers — and they compound the risk of the January 2024 credential exposure.

CVE-2024-12754 (CVSS 7.3 High) — Improper link resolution before file access (CWE-59). AnyDesk's logging component follows symbolic links without proper validation, allowing a local attacker with low privileges to overwrite arbitrary files on the Windows system. An attacker with standard user access can point AnyDesk's logging target at critical system files or security tool configurations, causing damage that persists after the session ends.

CVE-2024-12755 (CVSS 7.2 High) — Improper authorization (CWE-285). A local attacker with low privileges can cause AnyDesk's high-privilege service context to register a scheduled task on their behalf — a task that executes with SYSTEM-level privileges. This bypasses Windows UAC and standard privilege management controls entirely.

Both vulnerabilities were patched in AnyDesk version 9.0.1. The combined attack chain: use stolen credentials to establish an AnyDesk session → exploit CVE-2024-12754 to damage security tools → exploit CVE-2024-12755 to establish SYSTEM-level persistence → deploy ransomware that survives session termination. Verify your version in Help → About. Version 8.0.8 patches the certificate issue but does NOT patch these privilege escalation vulnerabilities.

The Disclosure That Shocked the MSP Industry

On February 19, 2024, ConnectWise published a critical security advisory for two vulnerabilities in ScreenConnect. CVE-2024-1709 received a CVSS v3.1 base score of 10.0 — the maximum possible. A CVSS 10.0 means the vulnerability is network-exploitable, requires no authentication, requires no user interaction, and grants complete control of the affected system. Any attacker with network access to a vulnerable ScreenConnect server can completely compromise it with no credentials and no user interaction required.

How the Authentication Bypass Works

The vulnerability exists in the ScreenConnect web setup wizard. The wizard was designed to be accessible without authentication — it's intended to run before any administrative accounts exist. The flaw: the wizard remains accessible via a path manipulation approach even after the system is configured and live, and its elevated execution context can be used to create new administrative accounts regardless of existing authentication state.

The attack chain: construct a crafted URL that bypasses routing authentication checks and reaches the setup wizard → invoke the admin account creation flow → create an account with attacker-controlled credentials → log in as admin → full control of every endpoint managed by that ScreenConnect instance.

CVE-2024-1708 (CVSS 8.4) — Path traversal chained with the auth bypass. Once authenticated via CVE-2024-1709, the attacker can write executable files outside the expected application directories, achieving remote code execution on the server. Together, the two CVEs form a complete unauthenticated remote code execution chain.

The Exploitation Timeline

Proof-of-concept exploits were published publicly within 24–48 hours of ConnectWise's disclosure. Huntress Labs honeypots detected active exploitation attempts within days. CISA added both CVE-2024-1709 and CVE-2024-1708 to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation at scale. The patched versions are 23.9.7.8119 and 23.9.8.8114. Cloud customers were patched automatically. On-premises customers who didn't patch within hours were exposed during active exploitation campaigns.

What Attackers Did Once Inside

In documented post-incident investigations, attackers used the CVE-2024-1709/1708 chain to accomplish multiple objectives before deploying ransomware:

• Deployed webshells — persistent .aspx files in the ScreenConnect application directory that survive patching and reinstallation unless specifically removed
• Installed AnyDesk backdoors via ScreenConnect's backstage scripting, registered to attacker-controlled accounts — providing redundant access independent of ScreenConnect
• Conducted reconnaissance — Active Directory enumeration, network mapping, backup server identification, security tool inventory across all managed client environments
• Disabled backup jobs silently through ScreenConnect's backstage scripting before deploying ransomware, eliminating the victim's recovery options
• Exfiltrated data to cloud storage services before encryption, enabling double-extortion ransomware demands

Vishing and Tech Support Scams

Not all AnyDesk and ScreenConnect compromises start with a technical exploit. A significant percentage begin with a phone call. The attacker calls a target employee, claims to be from the company's IT department, an AnyDesk support representative, or a Microsoft technician, and asks them to install AnyDesk and share the access code. The employee installs a legitimate, signed application and voluntarily provides access. The attacker connects and immediately begins exfiltrating data or installing malware.

This attack requires no technical sophistication and bypasses every security control. The rule must be absolute: if someone calls you unsolicited and asks you to install remote access software, the answer is always no, regardless of who they claim to be. Legitimate IT support is initiated by the employee submitting a ticket — not by an incoming call asking to take over the computer.

Phishing Targeting AnyDesk Users Post-Breach

Credential phishing targeting AnyDesk accounts specifically increased following the January 2024 breach, as attackers knew AnyDesk users were on edge about credential security. Phishing emails claiming to be from AnyDesk — warning about the breach, requesting password resets, offering security updates — redirected victims to phishing pages that harvested portal credentials. An AnyDesk user who had read about the breach was predisposed to believe an email about it was legitimate — making contextual phishing particularly effective in this case.

LockBit, Black Basta, Bl00dy, and Ghost

LockBit 3.0 affiliates were among the first documented groups to exploit CVE-2024-1709 at scale. LockBit's ransomware-as-a-service model provided affiliates with ready-made tooling to take advantage of the ScreenConnect exploit. A single compromised MSP ScreenConnect server could allow a LockBit affiliate to deploy ransomware simultaneously across dozens of client businesses — the documented outcome in several post-incident investigations following the February 2024 disclosure.

Black Basta, which emerged from the Conti ransomware operation, was linked to ScreenConnect exploitation with a specific focus on healthcare organizations. Black Basta exfiltrates data before encryption and threatens public disclosure — a double-extortion model that creates additional leverage against healthcare organizations that cannot afford HIPAA breach publicity. Texas Medical Center-adjacent organizations were specifically at risk.

Bl00dy ransomware was explicitly named by CISA in ScreenConnect exploitation advisories, targeting healthcare and public health sector organizations — dental practices, home health agencies, specialty clinics, and other small healthcare providers that have high sensitivity to downtime but lower security maturity. These organizations often rely on MSPs for IT support, making MSP ScreenConnect compromise a direct path to these targets.

Ghost ransomware (tracked as Cring/Phantom) uses AnyDesk specifically as a command-and-control channel. AnyDesk's commercial code signing, encrypted communications, and NAT traversal make it ideal C2 infrastructure — it traverses firewalls, blends with legitimate traffic, and is unlikely to be blocked by corporate firewall policies that explicitly allow AnyDesk for support purposes. Ghost actors install AnyDesk under attacker-controlled accounts, creating invisible backdoors that persist indefinitely if not specifically hunted.

The MSP Targeting Economics

The monetization calculus is straightforward: instead of attacking 500 businesses individually, attack one ScreenConnect server and reach all 500 simultaneously. An MSP managing 50 clients represents $2.5M to $15M in potential ransom revenue from a single initial compromise — even if only 20 percent of clients pay. The economics will continue to drive attackers toward MSP infrastructure with the same intensity that once targeted financial institutions.

The Trust That Becomes the Attack Surface

Kaseya VSA in July 2021 was the blueprint. REvil ransomware exploited zero-day vulnerabilities in the Kaseya VSA remote management platform, which was used by approximately 60 MSPs serving around 1,500 downstream businesses. The attack chain: compromise Kaseya VSA → push a malicious "update" to all managed endpoints via the legitimate management channel → encrypt everything simultaneously. The ransom demand was $70 million for a universal decryptor — the largest single ransom demand in history at the time. ConnectWise ScreenConnect in 2024 followed the same template.

The MSP relationship requires trust — administrative credentials, remote management capability, security tool deployment rights. That trust is also the attack surface. When an MSP's tools are compromised, every client becomes a potential victim without having done anything wrong themselves. Due diligence for MSP relationships must now include documented security assessments, not just references and response time guarantees.

Questions to Ask Your MSP Right Now

What remote management tools do you use to access our systems? You should have a specific list with patch status for each.

How quickly do you patch CVSS 10.0 vulnerabilities in your management infrastructure? The correct answer is same-day or within 24 hours — not "within our next patch cycle."

Do you have a current SOC 2 Type II report? Third-party attestation, not self-attestation.

Do you enforce MFA on all administrative accounts? Verify — don't accept "yes" without evidence.

What is your client notification procedure if your own infrastructure is compromised? If they don't have a documented answer, you will find out about a compromise via ransomware.

Both CVE-2024-1709 and CVE-2024-1708 were added to CISA's KEV catalog within days of disclosure, confirming active in-the-wild exploitation. KEV listing means three things: the vulnerability is being exploited right now, PoC code is likely publicly available, and routine patch cycles are insufficient — emergency patching is required. Cyber insurance carriers increasingly reference the KEV catalog in claim investigations — running a KEV-listed vulnerable application after the listing date without documented remediation can result in claim denial on the basis of known, unmitigated risk. Subscribe to CISA KEV notifications at cisa.gov/known-exploited-vulnerabilities-catalog.

Discovery to Ransomware in Nine Days

The following composite narrative draws from multiple post-incident investigations following the February 2024 ScreenConnect disclosure. An MSP serving 40 clients across Greater Houston ran a self-hosted ScreenConnect deployment on a Windows Server 2019 VM. The MSP's patch schedule targeted critical patches within 30 days — ConnectWise's February 19 advisory was routed into the next scheduled cycle. The ScreenConnect management interface was accessible on its default port without IP restriction.

Within 36 hours of the PoC exploit being published, automated scanning tools had indexed the server through Shodan. The authentication bypass was executed in under three minutes. The attacker created a new administrative account, accessed the full inventory of 40 client organizations, and identified three high-value targets: a construction company, a medical billing firm, and a regional distribution company.

Over the next six hours, ScreenConnect's backstage scripting was used to deploy AnyDesk silently on 14 servers across 7 client environments, each registered to an attacker-controlled AnyDesk account. The attacker also uploaded reconnaissance tools, mapped Active Directory across client environments, identified backup server locations, and enumerated security tools. The results were exfiltrated via HTTPS to an attacker-controlled server.

The Nine-Day Wait

For nine days, nothing visible happened. No ransomware, no obvious data tampering, no alerts. The MSP continued managing client environments normally, unaware the attacker had full visibility. During this period, the attacker monitored financial transaction timing, identified upcoming maintenance windows with reduced staff availability, and — critically — disabled backup jobs on three client servers through ScreenConnect's backstage scripting. The disabled backups were logged only locally on the ScreenConnect server the attacker controlled.

Friday Evening: Simultaneous Encryption

On the ninth day at 8:47 PM on a Friday, ransomware was deployed simultaneously to 14 servers across 7 client environments using the AnyDesk backdoors. By 10:00 PM, all 14 servers were encrypted. Monday morning, employees discovered ransom notes on every workstation connected to affected servers. The medical billing firm found 14 months of patient billing records encrypted — triggering HIPAA breach notification obligations for 4,200 patients.

Total recovery cost across 7 clients: over $1.8 million — incident response fees, forensic investigation, system rebuilds, HIPAA notification costs, lost revenue, and regulatory settlement. Two clients did not renew MSP contracts after recovery. The medical billing firm filed a negligence claim against the MSP for failure to patch a known critical vulnerability within a reasonable timeframe. The MSP's cyber insurance disputed the claim, citing failure to maintain reasonable security practices as a condition of coverage.

Three Controls That Would Have Changed Everything

Three controls would have broken this attack chain: (1) restricting the ScreenConnect admin interface to the MSP's office IP ranges — the attacker's scan would have received a TCP rejection rather than reaching the login page; (2) routing ScreenConnect authentication logs to an external SIEM with an alert for new administrative account creation — the account creation would have fired an alert within minutes; (3) ThreatLocker application control preventing ScreenConnect from deploying new applications via backstage scripting — the AnyDesk backdoors could not have been installed through the management interface. None of these controls are expensive. None require replacing ScreenConnect. All three are standard components of a properly configured MSP security architecture.

Continue reading:

• Part 2: AnyDesk and ConnectWise Security Hardening — Complete Checklists for Houston Businesses — Step-by-step hardening for both tools, detection engineering with Windows Event IDs, zero-trust architecture, and how to choose secure alternatives.
• Part 3: Remote Access Compromise — Prevention, Remediation, and the Risk of Data Loss — Prevention controls, incident response sequencing, what gets embedded in compromised systems, cyber insurance gaps, and HIPAA/ITAR/PCI-DSS compliance implications.

Schedule a free remote access security assessment for your Houston business — no obligation.