This guide will take you through the steps to make a custom scheduled sending of a specific report
Focused Report  

Mobula - Configure Assets 

Tune Active Alerts - Getting started 

Outside working hours - Guide PM 

• Purpose: Identify and update/revoke outdated AnyDesk versions to prevent compromise of your customers.

• Check the Report: Validate outdated AnyDesk devices via asset inventory and SIEM logs.

• Approve or Update: Verify outdated installations, notify customers, enforce updates, and refine detection.

• Why Important: Outdated AnyDesk poses risks; update to prevent remote access threats.

Detailed Guide:

Overview

AnyDesk is a widely used remote access tool, but outdated versions may contain security vulnerabilities that expose networks to unauthorized access and exploitation. Recent intelligence has identified a security risk in older versions of AnyDesk, requiring immediate updates to mitigate potential threats.

This use case focuses on detecting and addressing outdated AnyDesk installations within a customer's network. By leveraging network modeling, SIEM correlation, and asset validation, security teams can identify vulnerable endpoints, notify affected customers, and enforce timely updates. Proactive mitigation ensures a stronger security posture, reducing the risk of remote access compromise and unauthorized system control.

Objectives:

• Detect outdated AnyDesk to prevent unauthorized access.

• Notify customers and enforce software updates.

• Prevent unauthorized remote access by maintaining updated tools.

Actions

AnyDesk Execution With Known Revoked Signing Certificate

ESM - Arcsight

Follow the path to generate a report for your Entities that shows all outdated versions of AnyDesk that persists on the computers.

/All Reports/Mobula Use Cases/Remote Access Tools/AnyDesk Execution With Known Revoked Signing Certificate

How to generate a Report - Mobula - Generate Reports

Please review your entity's report and send it to him so that he can see whether computers have outdated revoked AnyDesk versions.

*** If the report is empty, make sure that the Sysmon Conkit is at version 31 or above.

After the customer updates AnyDesk Version to the latest version and the report is empty (after verifying Sysmon Conkit version 31) you can change the rule stage of “AnyDesk Execution With Known Revoked Signing Certificate” to active.

Recommendations

• Immediate Update: Customers must update AnyDesk to the latest version from the official website.

• Software Inventory Management: Regularly audit and track remote access tools to ensure compliance.

• Access Control: Restrict outdated AnyDesk versions from running on critical systems.

• Endpoint Protection: Enforce security policies to prevent unauthorized remote access software.

• Customer Communication: Provide clear instructions and follow-ups for software updates.

• Continuous Monitoring: Regularly review logs and threat intelligence for emerging vulnerabilities.

Risks

• Unauthorized Access: Attackers may exploit outdated versions to gain remote control.

• Data Breach: Compromised AnyDesk could lead to unauthorized data access and exfiltration.

• Malware Deployment: Threat actors could use vulnerabilities to install ransomware or spyware.

• Lateral Movement: Attackers may use compromised devices to spread across the network.

• Compliance Violations: Running outdated software may breach security policies and regulations.

• Operational Disruption: Remote access compromise could lead to system downtime or lockouts.

• Credential Theft: Exploited versions may allow attackers to steal login credentials.

• Reputation Damage: A security breach due to outdated software can harm customer trust.

Conclusions

In conclusion, addressing outdated AnyDesk versions is essential for maintaining a secure network environment. Timely updates and proactive mitigation efforts help prevent unauthorized remote access, data breaches, and malware infections. Automating detection through SIEM and SOAR enhances response efficiency, reducing exposure to potential threats. Clear communication with customers ensures compliance and swift remediation, while continuous monitoring strengthens overall security posture. Enforcing strict software version policies further minimizes risk, safeguarding systems from exploitation and operational disruptions.

Exclusion Lists Mobula app 

Exclusion Lists ArcSight 

• Purpose: Identify and update/revoke outdated AnyDesk versions to prevent compromise of your customers.

• Check the Report: Validate outdated AnyDesk devices via asset inventory and SIEM logs.

• Approve or Update: Verify outdated installations, notify customers, enforce updates, and refine detection.

• Why Important: Outdated AnyDesk poses risks; update to prevent remote access threats.

Detailed Guide:

Overview

AnyDesk is a widely used remote access tool, but outdated versions may contain security vulnerabilities that expose networks to unauthorized access and exploitation. Recent intelligence has identified a security risk in older versions of AnyDesk, requiring immediate updates to mitigate potential threats.

This use case focuses on detecting and addressing outdated AnyDesk installations within a customer's network. By leveraging network modeling, SIEM correlation, and asset validation, security teams can identify vulnerable endpoints, notify affected customers, and enforce timely updates. Proactive mitigation ensures a stronger security posture, reducing the risk of remote access compromise and unauthorized system control.

Objectives:

• Detect outdated AnyDesk to prevent unauthorized access.

• Notify customers and enforce software updates.

• Prevent unauthorized remote access by maintaining updated tools.

Actions

AnyDesk Execution With Known Revoked Signing Certificate

ESM - Arcsight

Follow the path to generate a report for your Entities that shows all outdated versions of AnyDesk that persists on the computers.

/All Reports/Mobula Use Cases/Remote Access Tools/AnyDesk Execution With Known Revoked Signing Certificate

How to generate a Report - 

Please review your entity's report and send it to him so that he can see whether computers have outdated revoked AnyDesk versions.

*** If the report is empty, make sure that the Sysmon Conkit is at version 31 or above.

After the customer updates AnyDesk Version to the latest version and the report is empty (after verifying Sysmon Conkit version 31) you can change the rule stage of “AnyDesk Execution With Known Revoked Signing Certificate” to active.

Recommendations

• Immediate Update: Customers must update AnyDesk to the latest version from the official website.

• Software Inventory Management: Regularly audit and track remote access tools to ensure compliance.

• Access Control: Restrict outdated AnyDesk versions from running on critical systems.

• Endpoint Protection: Enforce security policies to prevent unauthorized remote access software.

• Customer Communication: Provide clear instructions and follow-ups for software updates.

• Continuous Monitoring: Regularly review logs and threat intelligence for emerging vulnerabilities.

Risks

• Unauthorized Access: Attackers may exploit outdated versions to gain remote control.

• Data Breach: Compromised AnyDesk could lead to unauthorized data access and exfiltration.

• Malware Deployment: Threat actors could use vulnerabilities to install ransomware or spyware.

• Lateral Movement: Attackers may use compromised devices to spread across the network.

• Compliance Violations: Running outdated software may breach security policies and regulations.

• Operational Disruption: Remote access compromise could lead to system downtime or lockouts.

• Credential Theft: Exploited versions may allow attackers to steal login credentials.

• Reputation Damage: A security breach due to outdated software can harm customer trust.

Conclusions

In conclusion, addressing outdated AnyDesk versions is essential for maintaining a secure network environment. Timely updates and proactive mitigation efforts help prevent unauthorized remote access, data breaches, and malware infections. Automating detection through SIEM and SOAR enhances response efficiency, reducing exposure to potential threats. Clear communication with customers ensures compliance and swift remediation, while continuous monitoring strengthens overall security posture. Enforcing strict software version policies further minimizes risk, safeguarding systems from exploitation and operational disruptions.