Hackers breached 3 US antivirus companies, researchers reveal. Source code, network access being sold online by “Fxmsp” collective.
In a report published Thursday, researchers at the threat-research company Advanced Intelligence (AdvIntel) revealed that a collective of Russian and English-speaking hackers are actively marketing the spoils of data breaches at three US-based antivirus software vendors. The collective, calling itself “Fxmsp,” is selling both source code and network access to the companies for $300,000 and is providing samples that show strong evidence of the validity of its claims.
Yelisey Boguslavskiy, director of research at AdvIntel, told Ars that his company notified “the potential victim entities” of the breach through partner organizations; it also provided the details to US law enforcement. In March, Fxmsp offered the data “through a private conversation,” Boguslavskiy said. “However, they claimed that their proxy sellers will announce the sale on forums.”
Hackers breached 3 US antivirus companies, researchers reveal:
Fxmsp has a well-known reputation in the security community for selling access to breaches, focusing on large, global companies and government organizations. The group was singled out in a 2018 FireEye report on Internet crime for selling access to corporate networks worldwide, including a global breach of a luxury hotel group—potentially tied to the Marriott/Starwood breach revealed last November. AdvIntel’s researchers say the group has sold “verifiable corporate breaches,” pulling in profits approaching $1 million. Over the past two years, Fxmsp has worked to create a network of proxy resellers to promote and sell access to the group’s collection of breaches through criminal marketplaces.
In March, the group “stated they could provide exclusive information stolen from three top antivirus companies located in the United States,” AdvIntel’s researchers reported in a blog post going live today. “They confirmed that they have exclusive source code related to the companies’ software development.” And the group offered privately to sell the source code and network access to all three companies for “over $300,000,” the researchers said.
A screenshot shows a reverse-engineringtool view of code presented by the hacking collective Fxmsp showing access to a major US antivirus software company.
Hackers breached 3 US antivirus companies, researchers reveal:
According to the AdvIntel report, Fxmsp had managed to steal source code that included code for antivirus agents, analytic code based on machine learning, and “security plug-ins” for Web browsers. “Fxmsp also commented on the capabilities of the different companies’ software and assessed their efficiency,” the researchers wrote.
In the past, Fxmsp’s breaches have typically focused on exploiting Internet-connected remote desktop protocol (RDP) and Active Directory servers. But more recently, the group has claimed to have developed a credential-stealing botnet—malware that collects usernames and passwords—to target high-value networks that are better secured. “Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal,” AdvIntel’s researchers noted.
Update:
Boguslavskiy provided some additional details about the breach research in response to follow-up questions (and some of the feedback on this story). He said that AdvIntel first notified the FBI “through both Cyber Watch and the New York Cyber Task Force”.
told Ars that in October of 2018, Fxmsp “had a conflict with their proxy seller, and this relationship was compromised.” Since the proxy monitored Fmsp’s accounts on the various forums that the group typically sold its data through, this caused Fxmsp to move all its communications to Jabber instant messaging.
On May 5, Boguslavskiy said, “Fxmsp stated that one of the two teams orchestrating the attack against the AV companies compromised one access [point] while navigating through a victim’s client directory.” The hackers are currently trying to regain access. THis may have disrupted their original plans to sell the data.
“According to them, they planned to offer accesses for some of the companies in mid-May,” Boguslavskiy said, “most likely, by using forums (however, this is not confirmed: they used the term ‘make a public sale’).”
But because of the compromise of one access point, he noted, the group now plans to continue to make private offers of the data, with the possibility that offers for the other companies may appear in forums later this month.
Related Posts:
How to Spy on Competitors with Python & Data Studio(Opens in a new browser tab)
Learn RE – Regular Expressions in Python(Opens in a new browser tab)
Doomsday Docker security hole uncovered(Opens in a new browser tab)
Fake Google reCAPTCHA used to hide Android banking malware(Opens in a new browser tab)
B0r0nt0K Ransomware Wants $75,000 Ransom, Infects Linux Servers(Opens in a new browser tab)
Coding Resources Recommended by Tech Experts(Opens in a new browser tab)
How do I get FREE remote desktop support?(Opens in a new browser tab)
10 Visual Studio Code extensions for every developer(Opens in a new browser tab)
CSS tracking trick can monitor your mouse without JavaScript(Opens in a new browser tab)
Hacking the IoT: Vulnerabilities and Prevention Methods(Opens in a new browser tab)
How to secure your Nest account and cameras and keep hackers at bay(Opens in a new browser tab)
Facebook faces investigation by privacy commissioner over RBC access(Opens in a new browser tab)
North Korean Hackers Use ELECTRICFISH Malware to Steal Data(Opens in a new browser tab)
Cybersecurity burnout: 10 most stressful parts of the job(Opens in a new browser tab)
Only 9% of companies warn employees about IoT risks(Opens in a new browser tab)
Machine learning algorithms explained(Opens in a new browser tab)
Increase User Engagement & Why It Matters for SEO(Opens in a new browser tab)
