Three major U.S. anti-virus companies breached by Russian hackers

Russian hacking group Fxmsp offers to sell the source code of the antivirus software for $300,000

Fxmsp breached major security vendor netowrksRussian hackers Fxmsp managed to breach three US-based security firms and stole the source code of development tools and other important data. They are now selling this information of 30TB on the dark web for $300,000

New York-based cybersecurity firm Advanced Intelligence (AdvIntel), LLC published a report[1] that claims that high-profile Russian hacking group Fxmsp has compromised three major US cybersecurity vendors.

According to AdvIntel findings, Russian and English speaking Fxmsp threat actors managed to breach internal networks and steal the source code related to antivirus software development which compiles of 30 TB of data. Consequently, this data, along with access to systems, is offered on the black market for a little over $300,000.

Fxmsp is known to security experts since 2017 when it started its operation in underground communities and remained active ever since:

Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground. Some of the known Fxmsp TTPs included accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory.

The sophisticated group of hackers specializes in breaching high-profile corporations and governmental institutions and then selling the stolen information for profit, which is currently estimated as being close to 1 million U.S. dollars. This highly publicized case is actively being worked on by AdvIntel researchers and U.S. law enforcement.

Hackers posted screenshots of folders of the stolen data as a proof

AdvIntel first spotted that the breached information is being offered on the underground community forums in March 2019. Allegedly, the hacking group was actively focusing its activities towards breaching the AV companies since the beginning of 2019 and finally succeeded. In April 2019, cybersecurity experts confirmed that Fxmsp is trying to sell the data belonging to the antivirus vendors.

To increase the legitimacy of the data breach, hackers posted screenshots of folders that include the source code of the antivirus software, the security plugins and the AI from the three antivirus companies.

While it is yet unknown which cybersecurity firms are affected by the breach, Advanced Intelligence researchers claim that they are of high confidence that hackers' claims are accurate and that the stolen data is real and the files that were stolen by hackers can be used to extract the source code:

We believe with moderate-to-high confidence that it is possible to extract source codes from these files, if a sufficient technical skill is present.

According to SC Media,[2] Fxmsp hackers also managed to breach the fourth cybersecurity company, although its name still remains a mystery. Nevertheless, according to the report, one of the victims is one of the most popular AV vendors used in the world, while the other one has the most sophisticated security technology.

In the meantime, rumors in Twitter spread quickly – many people are guessing[3] that among those affected are Cylance and Symantec. The latter might be highly likely due to the unexpected resignation of the CEO Greg Clark just recently.[4]

A sophisticated credential stuffing botnet is used for the illegal business to thrive

According to researchers, the breach is executed by exploiting login credentials in a method called credential stuffing, which was also used in a massive Collection #1 and other breaches.[5] In this type of cyber attack, hackers rely on large lists of logins and passwords (typically stolen during other data breaches), which are used to make automated login requests with various automation tools. To expand the network and the operation field, hackers often employ a botnet which infects thousands of users worldwide.

Credential stuffing became one of the most prolific ways to retrieve sensitive data even from the most highly secured corporations, and weak usernames and passwords, along with password re-using across multiple accounts are greatly at fault.

For your own safety, we recommend you never use the same passwords for different accounts and use a complex combination of characters and numbers. The best way to protect yourself from data breaches is to enable two-factor authentication. Even if some malware is capable of bypassing the security of 2FA, most cyber attacks would be prevented.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions