Delaware, USA – May 14, 2019 – Three security solutions vendors became victims of the Fxmsp hacker group: Trend Micro, Symantec, and McAfee. Adversaries sneaked up into the internal networks of organizations, stole the source code of their solutions and then put them up for sale through trusted proxy resellers. In addition to source codes, they promised to provide access to the network of the compromised organizations for $ 300,000. Security company AdvIntel has published a report on the investigation into the activities of the Fxmsp group. They managed to get access to the internal chat of the hacker group and their communications with resellers. Part of the screenshots is published on BleepingComputer. It is known that the group is mostly Russian-speaking, and they worked for half a year to compromise the antivirus companies. The attackers penetrated the internal networks through the exploitation of an unnamed vulnerability and moved laterally using the legitimate software: Team Viewer and AnyDesk. Since this software was used by network administrators, vendors learned about data breach only after AdvIntel alerts. In at least one of the attacks, hackers gained access to Active Directory, the adversaries claim that they were able to extract about 30 terabytes of data related to the companies’ development including antivirus software base code, development documentation, web security software, and artificial intelligence model.
Fxmsp hacker group operates since 2017 targeting corporate and government networks worldwide, and selling verifiable corporate breaches. To protect against group’s known tactics, researchers recommend to closely monitor externally-exposed Remote Desktop Protocol servers and Active Directory. You can use the VPN Security Monitor rule pack for your SIEM to detects typical signs of abuse or unauthorized access: https://my.socprime.com/en/integrations/vpn-security-monitor-arcsight