Update: 4th US anti-virus company in secrets for sale as cyber-criminals sell source code

News by Rene Millman

Russian and English-speaking Fxmsp group hackers are trying to sell source code of anti-virus products obtained from a data breach of three US-based antivirus software vendors

Security researchers have claimed that a group of Russian and English-speaking hackers are trying to sell source code of anti-virus products obtained from a data breach of three unnamed US-based antivirus software vendors

According to a blog post by Advanced Intelligence, a group, known as "Fxmsp" said it could provide exclusive information stolen from the companies and confirmed they had exclusive source code related to the companies' software development. They are offering to sell it, and network access, for over US$ 300,000 (£230,000).

Researchers at the company assessed "with high confidence" that Fxmsp "is a credible hacking collective with a history of selling verifiable corporate breaches returning them profit close to US$ 1,000,000 (£768,000)".

The report said that the hacking group managed to breach three companies in April this year managing to access internal networks. They then extracted sensitive source code from antivirus software, AI, and security plugins belonging to the three companies. The group also commented on the capabilities of the different companies’ software and assessed their efficiency.

Researchers said that targeting these companies appeared to be the primary goal of Fxmps' latest network intrusions.

"The actor claimed that antivirus breach research has been their main project over the last six months, which directly correlates with the six-month period during which they were silent on the underground forums where they normally post. This period started with their seeming disappearance in October 2018 and concluded with their return in April 2019," said researchers.

AdvIntel alerted law enforcement regarding these claimed intrusions.

Tim Mackey, principal security strategist at Synopsys CyRC,told SC Media UK that this is a case where there is possibly more rumour than fact.

"The source code image simply shows assembly code – something which is readily obtainable by running a debugger on any application, and which requires no direct access to any source code," he said.

"Understanding assembly code is a skill commonly available within desktop application development teams. While it might help a malicious group to have access to the full source code for an application in creating their attacks; the reality is anyone targeting an anti-virus agent is likely very skilled in assembly language and might find source code more of a distraction. What is more concerning are claims of access to the networks of the AV companies."

Mackey added that with such access to servers providing threat intelligence, a malicious group could be positioned to mask their activities, replace legitimate code or agents, and then create a rich target list who would be unaware of any changes in risk.

"This is a classic example of how malicious groups define the rules and targets for their attacks and why having robust and comprehensive threat models guide defences," he said.

Tim Erlin, VP, product management and strategy at Tripwire, told SC Media UK that security companies aren’t immune from breaches, and certainly have sensitive data to protect.

"They may not be targeted as often because the data they have is harder to monetise," he said. "Source code for any security product, anti-virus included, is valuable to attackers working on ways to circumvent controls or avoid detection. If an attacker knows the internals of how security tools work, they can build exploits to avoid them more easily."


AdvIntel Director of Security Research Yelisey Boguslavskiy told SC Media in an interview. "We believe with moderate-to-high confidence that it is possible to extract source codes from these files, if a sufficient technical skill is present."

The first stirrings of trouble began in March 2019, as AdvIntel collected dark web intelligence related to corporate network breaches and an offer to sell stolen data. On April 24, the researchers were able to confirm Fxmsp’s attempted sale of AV companies’ data.

"According to the hacking collective, they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies’ internal networks," the AdvIntel blog post states.

Even though the post references only three victimized AV companies, Boguslavskiy told SC Media that on 5 May Fxmsp claimed that it had breached a fourth company. However, further details including the identity of the fourth company remain a mystery, as they have "never been disclosed" by Fxmsp, he stated.

To help market their illicit goods in dark web forums, the hackers included screenshots of folders purportedly containing 30 TB of extracted data. "The folders seem to contain information about the company’s development documentation, artificial intelligence model, web security software, and antivirus software base code," the post continues.

The hackers also included comments on and assessments of the AV products’ capabilities. "Fxmsp stated that one of the four companies has the most developed security technology, but the other one has a huge client base," Boguslavskiy said.

Boguslavskiy also informed SC that Fxmsp recently placed the sale on hold, due to what the hacking collective claimed was a compromise of one of its accesses. "This happened after we have notified the victims; therefore, we are currently figuring out the connection between our notification and their [Fxmsp’s] compromise," he said.

Fxmsp announced the sale would resume on dark web forums soon, noting that trusted actors would receive two-week notice, Boguslavskiy added.

AdvIntel assesses with "high confidence" that Fxmsp "is a credible hacking collective" that has profited over US$ 1 million (£750,000) from the sale of stolen assets. According to the blog post report, the group is proficient in both Russian and English languages, and is known to access victims’ network environments "via externally available Remote Desktop Protocol (RDP) Servers and exposed Active Directory." Its members may also have developed their own a credential-stealing botnet.

Until this most recent activity, the hacking group had been quiet since last October, when it abandoned dark web forums and migrated to secure messaging services in order to conduct business. "In April were able to resume monitoring Fxmsp again," said Boguslavskiy.

AdvIntel is actively working with U.S. law enforcement on the case.

(Additional reporting by Bradley Barth at SC Media in the US),

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews