In a report published Thursday, researchers at the threat-research company Advanced Intelligence (AdvIntel) revealed that a collective of Russian and English-speaking hackers are actively marketing the spoils of data breaches at three US-based antivirus software vendors. The collective, calling itself âFxmsp,â is selling both source code and network access to the companies for $300,000 and is providing samples that show strong evidence of the validity of its claims.
Yelisey Boguslavskiy, director of research at AdvIntel, told Ars that his company notified âthe potential victim entitiesâ of the breach through partner organizations; it also provided the details to US law enforcement. In March, Fxmsp offered the data âthrough a private conversation,â Boguslavskiy said. âHowever, they claimed that their proxy sellers will announce the sale on forums.â
Fxmsp has a well-known reputation in the security community for selling access to breaches, focusing on large, global companies and government organizations. The group was singled out in a 2018 FireEye report on Internet crime for selling access to corporate networks worldwide, including a global breach of a luxury hotel groupâpotentially tied to the Marriott/Starwood breach revealed last November. AdvIntelâs researchers say the group has sold âverifiable corporate breaches,â pulling in profits approaching $1 million. Over the past two years, Fxmsp has worked to create a network of proxy resellers to promote and sell access to the groupâs collection of breaches through criminal marketplaces.
In March, the group âstated they could provide exclusive information stolen from three top antivirus companies located in the United States,â AdvIntelâs researchers reported in a blog post going live today. âThey confirmed that they have exclusive source code related to the companies' software development.â And the group offered privately to sell the source code and network access to all three companies for âover $300,000,â the researchers said.
According to the AdvIntel report, Fxmsp had managed to steal source code that included code for antivirus agents, analytic code based on machine learning, and âsecurity plug-insâ for Web browsers. âFxmsp also commented on the capabilities of the different companiesâ software and assessed their efficiency,â the researchers wrote.
In the past, Fxmspâs breaches have typically focused on exploiting Internet-connected remote desktop protocol (RDP) and Active Directory servers. But more recently, the group has claimed to have developed a credential-stealing botnetâmalware that collects usernames and passwordsâto target high-value networks that are better secured. âFxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal,â AdvIntelâs researchers noted.
Update:
Boguslavskiy provided some additional details about the breach research in response to follow-up questions (and some of the feedback on this story). He said that AdvIntel first notified the FBI "through both Cyber Watch and the New York Cyber Task Force".
told Ars that in October of 2018, Fxmsp "had a conflict with their proxy seller, and this relationship was compromised." Since the proxy monitored Fmsp's accounts on the various forums that the group typically sold its data through, this caused Fxmsp to move all its communications to Jabber instant messaging.
On May 5, Boguslavskiy said, "Fxmsp stated that one of the two teams orchestrating the attack against the AV companies compromised one access [point] while navigating through a victim's client directory." The hackers are currently trying to regain access. THis may have disrupted their original plans to sell the data.
"According to them, they planned to offer accesses for some of the companies in mid-May," Boguslavskiy said, "most likely, by using forums (however, this is not confirmed: they used the term 'make a public sale')." But because of the compromise of one access point, he noted, the group now plans to continue to make private offers of the data, with the possibility that offers for the other companies may appear in forums later this month.
Â
Gloss