Hackers breached 3 US antivirus companies, researchers reveal

[Karlston]

Source code, network access being sold online by "Fxmsp" collective.

Enlarge / An infographic from Advanced Intelligence showing the hacking group Fxmsp's breach-selling business model.

AdvIntel

In a report published Thursday, researchers at the threat-research company Advanced Intelligence (AdvIntel) revealed that a collective of Russian and English-speaking hackers are actively marketing the spoils of data breaches at three US-based antivirus software vendors. The collective, calling itself “Fxmsp,” is selling both source code and network access to the companies for $300,000 and is providing samples that show strong evidence of the validity of its claims.

 

Yelisey Boguslavskiy, director of research at AdvIntel, told Ars that his company notified “the potential victim entities” of the breach through partner organizations; it also provided the details to US law enforcement. In March, Fxmsp offered the data “through a private conversation,” Boguslavskiy said. “However, they claimed that their proxy sellers will announce the sale on forums.”

 

Fxmsp has a well-known reputation in the security community for selling access to breaches, focusing on large, global companies and government organizations. The group was singled out in a 2018 FireEye report on Internet crime for selling access to corporate networks worldwide, including a global breach of a luxury hotel group—potentially tied to the Marriott/Starwood breach revealed last November. AdvIntel’s researchers say the group has sold “verifiable corporate breaches,” pulling in profits approaching $1 million. Over the past two years, Fxmsp has worked to create a network of proxy resellers to promote and sell access to the group’s collection of breaches through criminal marketplaces.

 

In March, the group “stated they could provide exclusive information stolen from three top antivirus companies located in the United States,” AdvIntel’s researchers reported in a blog post going live today. “They confirmed that they have exclusive source code related to the companies' software development.” And the group offered privately to sell the source code and network access to all three companies for “over $300,000,” the researchers said.

Enlarge / A screenshot shows a reverse-engineringtool view of code presented by the hacking collective Fxmsp showing access to a major US antivirus software company.

AdvIntel LLC

According to the AdvIntel report, Fxmsp had managed to steal source code that included code for antivirus agents, analytic code based on machine learning, and “security plug-ins” for Web browsers. “Fxmsp also commented on the capabilities of the different companies’ software and assessed their efficiency,” the researchers wrote.

 

In the past, Fxmsp’s breaches have typically focused on exploiting Internet-connected remote desktop protocol (RDP) and Active Directory servers. But more recently, the group has claimed to have developed a credential-stealing botnet—malware that collects usernames and passwords—to target high-value networks that are better secured. “Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal,” AdvIntel’s researchers noted.

 

Source: Hackers breached 3 US antivirus companies, researchers reveal (Ars Technica)

[mp68terr]

Time to promote antivirus from companies NOT located in the United States... like... Kaspersky or 360 Safeguard 

[steven36]

Real time Antivirus  is dangerous stuff because it requires 24/7 internet and admin privileges  no matter who makes them   , I use Linux most of the time were i  really don't need and Antivirus and i just use Clam  open-source antivirus  for On demand  witch it don't require root like  Real time Antivirus do. It don't say witch  ones they attacked do it?  most people i know that use Real Tome . now just use Windows defender  witch  is USA  or they use a free /paid one  non USA. Its the big enterprises and government who buy USA Antivirus mostly.

[straycat19]

I don't use Anti Virus software at all.  I prefer using Group Policies and Common Sense which have served me well over the years.  Back in the early 90s viruses did innocuous things to a computer, like filling an exe file with zeros so that a 49kb file became a 200kb, and with the small hard drives it didn't take long for a drive to be filled.  So the use of McAfee or Norton at the time was advantageous, but later not so much so as viruses progressed and malware became the norm.  So the easy way to stop all of it is not allow it to run, which is what software restriction policies do.  And with a little common sense you can have a secure system with less overhead and no false positives.  If you are paranoid you can always run one of the AV rescue disks on a weekly basis to check your system.  Remote Desktop (RDP) should never be turned on, it is just an accident waiting to happen.  There are safer and more secure ways to connect PCs when remote access is needed that doesn't compromise the host nor the client.

[steven36]

18 minutes ago, straycat19 said:

  Back in the early 90s viruses did innocuous things to a computer, like filling an exe file with zeros so that a 49kb file became a 200kb, and with the small hard drives it didn't take long for a drive to be filled.  So the use of McAfee or Norton at the time was advantageous,

 

The worse viruses didn't come out tell the 1st decade  of 21st century  the 90s  wasn't nether were any windows made back then much good .

https://www.smithsonianmag.com/science-nature/top-ten-most-destructive-computer-viruses-159542266/

 

 

 

[Karlston]

Patch Lady – so the a/v vendors are…

You remember the story about a hacker group claiming to have the source code and network access to three a/v vendors?

 

Per Bleeping Computer the vendors appear to be Trend, Symantec and McAfee.

 

Ouch.

 

And Concerning..

 

Source: Patch Lady – so the a/v vendors are… (AskWoody - Susan Bradley)