Some very valuable information about the internal workings of certain antivirus companies could be for sale right now, available to cybercriminals all over the world. A Russian hacker group called Fxmsp hacked three American antivirus companies and are selling each company’s products’ source code for $150.000. Fxmsp say that they have 30 Terabytes of data from just a single company, but it’s not clear how much they have from all three hacks. Additionally, Fxmsp are selling access to the hacked companies’ networks for $250.000 each.
This seems like a lot of money, but online criminals can also make even more. Some families of ransomware (a type of virus that locks people’s files and demands money for restoring them) have collected hundreds of thousands of dollars in ransoms, and Banking Trojans can steal money from bank accounts adding up to millions of dollars.
Apparently, the effort to breach these three companies has been going on for months — since the beginning of 2019, and the information goes on sale only now, in April and May of 2019.
All this data is being sold on forums online, through proxy sellers. Fxmsp
Before the hack of the tree antivirus companies, Fxmsp is difficult to find information about, other than this FireEye report where Fxmsp’s older thefts of information are mentioned. Mostly it is network access to various businesses and government agencies all over the world.
During the demonstration of the stolen data, Fxmsp apparently offered their opinion on the security of various companies. Some malware developers are critical of their victims’ security, and see themselves as consultants. The hacking then is seen as an. earned punishment for having such flawed security.
Just like in their earlier attacks, Fxmsp used Remote Desktop to hack these three antivirus companies, as well as . Remote Desktop Protocol is used in a lot of targeted cyber attacks. The attacker only needs to know the password, and the victim only needs to have left the RD connection exposed. Both individuals and companies are vulnerable to RD hacking. As the name implies, Remote Desktop gives people an opportunity to connect to a computer remotely, including the ability to get administrator privileges. And Fxmsp were boasting of having long-term access to the hacked companies, which means that Fxmsp does not expect them to be able to purge them from their network any time soon.
Fxmsp have also claimed that they are developing a botnet that could steal usernames and passwords from high-profile companies and then send those passwords to Fxmsp. This would give Fxmsp even more ability to stay in a network for a long time or find ways to get back in and continue to steal information.
It is possible that this information will be used in the future to develop more antivirus-resistant malware, but we can only speculate. Still, this is the source code of some antivirus programs and plugins, their technologies and documentation. If the buyers if this data were to use it to develop a sophisticated virus and attack suddenly, there would be no way for the first victims to defend themselves. As always, it’s important to be prepared — keep your passwords complex, turn on two-factor authentication, and be careful online.
Source: Security Affairs