In recent news, three major AntiVirus (AV) companies were allegedly hacked. Advanced Intelligence, LLC (AdvIntel) is a fraud prevention company aimed at maximizing the security, confidentiality, and integrity of the financial operations of businesses. Proof of data exfiltration was noted in the article and this story continues exclusively between AdvIntel and BleepingComputer.
Just a fair note, this blog post summarizes AdvIntel’s initial blog post (first link) and three posts from BleepingComputer. Aside from the two linked above, the other two will be referenced further down in this post.
Who’s Responsible
AdvIntel states in their blog that the hacker collective is known as “Fxmsp” and are Russian- and English-speaking. Fxmsp has been around since 2017, having been involved in many top-tier underground communities. During the years, Fxmsp has been establishing themselves and their trade network in the underground, working through trusted proxy resellers whom promote their breaches. They’re known for packaging access to network environments via remote desktop protocol servers and exposed active directory servers. Their latest feat was a claim having developed a credential-stealing botnet targeting high-profile targets.
What’s Been Done
Aside from the sample data to prove their network infiltration, Fxmsp seemed to be on a mission – a mission to kill, but in this case “kill” refers to a tireless objective of breaching three leading AV companies. Other alleged proof includes source code from various AV software, AI, and security plug-ins.
The total capacity of exfiltrated data amounts to 30 TB worth of data.
When Did This Happen
April 24, 2019 was when the claims surfaced. This was a quarter-long expedition that allegedly started off in Q4 of 2018. During this time, the collective was silent in the forums where they typically communicate within.
Why Is This Happening
Fxsmp apparently has had their sights on one thing of late, and one thing only – taking on AV companies. They’re also specialize in targeting corporate and government networks across the globe.
Other than that: money.
Fxmsp was offering to sell exclusive source code for various software products, along with full network access, for $300K USD – that’s a lot of money for six months worth of work. Further, this was per company. Offering this package individually for the three companies pushes the potential revenue up to $900K.
Is Any of This True
Claims and attribution can be misleading, to say the least. If no one speaks out and claims responsibility, or even if multiple people do, what proof is there of that entity actually doing what they’ve claimed?
In this case, another high-profile Russian threat actor known as ShadowRunTeam seems to endorse Fxmsp, going as far as to inform AdvIntel of a name (“Andrey”) and stating Fxmsp started back in the mid-2000s. AdvIntel’s own subject matter experts assess, with high confidence, Fxmsp is the real deal. They stated that Fxmsp is credible and has a history of selling verifiable corporate data from breaches, earning them close to $1M USD.
BleepingComputer published this article that depicts some past chat logs Fxmsp has communicated before, as well as communications from one of their proxy resellers known as BigPetya.
What Companies Were Impacted
A follow up post by BleepingComputer reveals that the three impacted AV companies are: Symantec, McAfee, and Trend Micro. The post offers some screenshots of chat logs. Some of the logs discuss all three, others only two. The dialogue is fairly revealing and appealing as well.
What Are the Affected Companies Stating
First up: Symantec.
Symantec released a statement affirming the rumors but denying impact on themselves. They also said they have no reason to believe their customers should be concerned. AdvIntel backed that up stating Fxmsp has yet to provide sufficient evidence. Further, they stated that they’re confident in Symantec’s statement that customers need not be concerned.
Next up: Trend Micro.
Trend Micro responds to BleepingComputer more or less downplaying the severity of what is going on. They claimed that only access to a lab network was infiltrated and that their global team is working closely together with law personnel as well. AdvIntel wasn’t as quick to endorse this, claiming that the proof Fxmsp advertised clearly belongs to the company.
Lastly: McAfee.
They simply neither confirmed nor denied the breach, only acknowledging the allegations.
Conclusion
It’s scary to think of the software products designed to secure our networks, what happens if and when they get hacked? As in this case, there have been past instances of AV companies being breached as well. If they have such a tough time keeping the bad guys out themselves, what can be done?
This is where intrusion detection comes into play. Simply put, being hacked is merely a matter of when, not if. Sure, focus on keeping the bad guys out, but don’t neglect the ability to track them once they’re in. Audit, audit, audit; keep those logs stored and analyze them in semi-regular fashion to be able to detect intrusions.
Also, consider a multi-factor authentication solution for access to critical networked servers. It may seem like a hassle, but begs the question: is the cost of recuperation worth not adding another security layer, despite needing to take an extra step?