Cybersecurity researchers from the Sophos X-Ops Incident Response team have observed hackers deploying an unusual social engineering tactic to gain access to victim systems and steal sensitive data.
The team outlined how a new ransomware player called Mad Liberator emerged in mid-July 2024, mostly focused on data exfiltration (rather than system encryption), but also sometimes engaged in double extortion (encryption + data theft). It also has a data leak website where it threatens to publish the stolen data unless the victims pay up.
What sets Mad Liberator apart from other threat actors is their initial access vector. Usually, hacking groups would trick their way inside, usually with phishing email or instant messaging services. In this case, however, they seem to have “guessed” the unique Anydesk identifier.
Abusing legitimate software
Anydesk is a legitimate remote desktop application used by thousands of businesses worldwide. Each device where Anydesk is installed gets a unique identifier, a 10-digit number, which other endpoints can “dial” and thus gain access to. Oddly enough, the attackers one day just dialed into one of the computers belonging to the victim organization, seemingly with absolutely no prior interaction. The computer that was targeted also does not belong to any high-profile employee or manager.
The victim just assumed the IT department was doing regular maintenance so they accepted the dial-in, no questions asked.
This gave the attackers unabated access, which they used to deploy a binary that, on the surface, looks like a Windows update. They also disabled keyboard input from the victim’s side, to make sure they don’t spot the ruse by accidentally pressing the Esc button and minimizing the running program.
After a few hours, the crooks managed to pull sensitive data from the device, connected cloud services, and scanned for other connected devices they might pivot to.
Once again, “assume nothing, suspect everything” proves to be the proper mindset to remain secure in the workplace.
