ARSTECHNICA is getting me worried here. We were all at KB4-CON in Orlando the last few days, and during the conference word got to me that security researchers found out that high-profile hackers have breached three AV companies with offices in the US and are selling the source code. UPDATE: the actual vendors are now known.
You would think that reputed security companies do their level best to keep criminal hackers our their networks. However, it's not only possible but it has happened several times in the past.
Six years after the fact, we all learned in 2012 that Symantec had been breached and that bad guys stole source code for Norton tools and pcAnywhere. Kaspersky announced in 2015 that their internal network had been breached.
Advance Intelligence, LLC is the InfoSec shop that broke the news, and here is their Executive Summary:
- "Fxmsp" is a high-profile Russian- and English-speaking hacking collective. They specialize in breaching highly secure protected networks to access private corporate and government information.
- They have a long-standing reputation for selling sensitive information from high-profile global government and corporate entities.
- In March 2019, Fxmsp stated they could provide exclusive information stolen from three top anti-virus companies located in the United States. They confirmed that they have exclusive source code related to the companies' software development. They are offering to sell it, and network access, for over $300,000 USD.
- AdvIntel subject matter experts assess with high confidence that Fxmsp is a credible hacking collective with a history of selling verifiable corporate breaches returning them profit close to $1,000,000 USD. AdvIntel alerted law enforcement regarding these claimed intrusions.
Yelisey Boguslavskiy, director of research at AdvIntel, told Ars that his company notified “the potential victim entities” of the breach through partner organizations; it also provided the details to US law enforcement. In March, Fxmsp offered the data “through a private conversation,” Boguslavskiy said. “However, they claimed that their proxy sellers will announce the sale on forums.”
Fxmsp has a well-known reputation in the security community for selling access to breaches, focusing on large, global companies and government organizations. The group was singled out in a 2018 FireEye report on Internet crime for selling access to corporate networks worldwide, including a global breach of a luxury hotel group—potentially tied to the Marriott/Starwood breach revealed last November.
Who Is/Are Fxmsp?
According to “ShadowRunTeam,” a high-profile Russian threat actor operating on Telegram, Fxmsp is reportedly a Moscow resident with the first name "Andrey" who started to engage in cybercrime activities in mid-2000 and specialized in social engineering.
Here is the arstechnica article which has some mitigation suggestions, and I will keep you up to date "real-time" if there are new developments through my twitter account.
UPDATE 5/13/2019 11:00am: SC Magazine says that the (probably) Moscow-based gang Fxmsp may have stolen code from a fourth security company. None of the companies allegedly affected have been publicly named, but researchers at Advanced Intelligence have "high confidence" that Fxmsp has the code it says it does.
UPDATE 5/13/2019 6:45pm: Symantec and Trend Micro are two of the three top U.S. antivirus companies that a group of Russian-speaking hackers claim to have compromised, Gizmodo has confirmed.
UPDATE 5/14/2019 6:45am: The third vendor is McAfee, revealed by chat logs that show a compromised high-privilege user in Active Directory. The vendors are commenting on this news with various PR responses which try to downplay the damage. That is how these things are done, first deny or downplay, and then over time allow the truth to come out and claiming it's "old news" that does not need to be covered. There's no word yet about a rumored fourth victim. What's the cost of a breach? In the case of Equifax, Infosecurity Magazine reports that it's so far cost the company $1.4 billion.
The problem is that if other bad guys get their hands on the source code they will inevitably find vulnerabilities that can be exploited. Your third-party endpoint security is actually a sizable attack surface. I see more and more people upgrade to Win10 and use the built-in Windows Defender. You can discuss this topic at our Hackbusters Featured Post discussion forum.
Let's stay safe out there.
Warm regards,
Stu Sjouwerman
Founder and CEO,
KnowBe4, Inc
