In a report published yesterday, researchers revealed that a collective of Russian and English-speaking hackers are actively marketing the spoils of data breaches at three US-based antivirus software vendors. The collective, calling itself “Fxmsp,” is selling both source code and network access to the companies for $300,000 and is providing samples that show strong evidence of the validity of its claims.
This offer was for each individual company and it is not a set price. It could go as high as $1 million for one access. A definitive offer is still being discussed with intermediaries. According to the AdvIntel report, Fxmsp had managed to steal source code that included code for antivirus agents, analytic code based on machine learning, and “security plug-ins” for Web browsers. “Fxmsp also commented on the capabilities of the different companies’ software and assessed their efficiency,” the researchers wrote.
Researchers: 'Fxmsp' Russian Hacking Collective Exploits Victims Via RDP and Active DirectoryThe "Fxmsp" hacker collective has been advertising source code that it claims to have stolen from three top U.S. anti-virus software development firms, as well … https://t.co/tnJBl4ayKB pic.twitter.com/fh5k96Yg0p
— CyberSecurityResource (@InfoSecResource) May 10, 2019
Tim Mackey, Principal Security Strategist at Synopsys CyRC (Cybersecurity Research Center):
This is a case where I fear there is more rumour than fact. The source code image simply shows assembly code – something which is readily obtainable by running a debugger on any application, and which requires no direct access to any source code. Understanding assembly code is a skill commonly available within desktop application development teams. While it might help a malicious group to have access to the full source code for an application in creating their attacks; the reality is anyone targeting an anti-virus agent is likely very skilled in assembly language and might find source code more of a distraction. What is more concerning are claims of access to the networks of the AV companies. With such access to servers providing threat intelligence, a malicious group could be positioned to mask their activities, replace legitimate code or agents, and then create a rich target list who would be unaware of any changes in risk. This is a classic example of how malicious groups define the rules and targets for their attacks and why having robust and comprehensive threat models guide defences.
“In situations like this, its only natural for consumers to want to know if they are at risk, or even under attack. Since we don’t yet know when the potential breach occurred, there is no means to say an older version of any product is free from tampering. We can have confidence that any impacted vendors are working with law enforcement, and that any damage will be contained. In the interim, we should confirm that our anti-malware solutions have the digital signatures on them from our actual vendor. The process to do this varies by operating system, but can be easily performed by an end user. In the event of a discrepancy, contact the vendor and seek guidance from them.”