A Russian hacker collective known as Fxmsp claimed on April 24 that it breached three large U.S.-based antivirus companies.
AdvIntel, a cybersecurity firm, said on May 9 that it has seen the alleged stolen data sets via screenshots provided by Fxmsp. The firm said that the screenshots “seem to contain information about the company’s development documentation, artificial intelligence model, web security software, and antivirus software base code.” AdvIntel also said the hackers are offering for sale the source code related to the companies’ software development – as well as network access – for about $300,000.
“AdvIntel subject matter experts assess with high confidence that Fxmsp is a credible hacking collective with a history of selling verifiable corporate breaches returning them profit close to $1,000,000 USD,” the company wrote in a blog post. AdvIntel also noted that it has alerted law enforcement regarding the alleged intrusions.
Fxmsp claims that it has developed a “credential-stealing botnet capable of infecting high-profile targets,” which it uses to steal sensitive usernames and passwords. After stealing the data, the hackers use an “established a network of trusted proxy resellers to promote their breaches on the criminal underground.”
For this breach, the hackers claim they have “worked tirelessly” for the first quarter of this year and “finally succeeded and obtained access to the companies’ internal networks.” In terms of what was stolen, Fxmsp said it has extracted sensitive source code from antivirus software, artificial intelligence, and security plugins.
Though the hackers haven’t disclosed the names of the companies they’ve targeted, AdvIntel said they have “provided a list of specific indicators through which it is possible to identify the company even when a seller is not disclosing its name.”
As a means of mitigation, AdvIntel said companies should monitor and review their network perimeter for any externally-exposed Remote Desktop Protocol servers and Active Directory to reduce exposure to the known two initial attack vectors.
Additionally, companies should employ “robust patching and security hygiene, as well as monitoring for spearphishing email messages that might assist with identifying early warnings linked to the Fxmsp’s newer attack vector environment,” it said. Finally, AdvIntel suggested segregating and protecting sensitive source code development environments from access to the primary network in an attempt to “thwart attempts to exfiltrate intellectual property from the network.”