Status
Not open for further replies.

upnorth

Level 33
Verified
Trusted
Content Creator
In a report published Thursday, researchers at the threat-research company Advanced Intelligence (AdvIntel) revealed that a collective of Russian and English-speaking hackers are actively marketing the spoils of data breaches at three US-based antivirus software vendors.

The collective, calling itself “Fxmsp,” is selling both source code and network access to the companies for $300,000 and is providing samples that show strong evidence of the validity of its claims. Yelisey Boguslavskiy, director of research at AdvIntel, told Ars that his company notified “the potential victim entities” of the breach through partner organizations; it also provided the details to US law enforcement. In March, Fxmsp offered the data “through a private conversation,” Boguslavskiy said. “However, they claimed that their proxy sellers will announce the sale on forums.” Fxmsp has a well-known reputation in the security community for selling access to breaches, focusing on large, global companies and government organizations. The group was singled out in a 2018 FireEye report on Internet crime for selling access to corporate networks worldwide, including a global breach of a luxury hotel group—potentially tied to the Marriott/Starwood breach revealed last November. AdvIntel’s researchers say the group has sold “verifiable corporate breaches,” pulling in profits approaching $1 million. Over the past two years, Fxmsp has worked to create a network of proxy resellers to promote and sell access to the group’s collection of breaches through criminal marketplaces. In March, the group “stated they could provide exclusive information stolen from three top antivirus companies located in the United States,” AdvIntel’s researchers reported in a blog post going live today. “They confirmed that they have exclusive source code related to the companies' software development.” And the group offered privately to sell the source code and network access to all three companies for “over $300,000,” the researchers said.
 

upnorth

Level 33
Verified
Trusted
Content Creator
This is um.... bad.
Access to the source code allows hackers the opportunity to locate showstopping vulnerabilities and exploit them, rendering the software useless... or worse.
As for the names of the three anti-malware software companies that were compromised, that's still a mystery. Unless someone in the cybersecurity business decides to shell out $300k to find out what's hiding in the 30TB of files we may not find out until it's far to late.
 
Last edited:

blackice

Level 10
Verified
Is there any official evidence that McAfee is one of the companies which have been breached?
There's no evidence of who any of the companies are. However, the report does state that browser extension(s) were compromised. So at least one of the companies concerned uses an extension, possibly all 3. That's about as much detail as there is at the moment.

By market share based on a quick google the top 3 from the US are McAfee, Malwarebytes, and Symantec. Followed by Webroot and Cylance. But who knows till they report it, if they ever do. This is all assuming WD isn’t involved, which it doesn’t sound like it is based on the report.
 

Raiden

Level 13
Verified
Content Creator
This is both interesting and concerning. It would be interesting to know who are the 3 AV vendors are, but it's more than likely the ones already mentioned. I wouldn't be surprised if all the US AV vendors are scurrying around trying to figure out if they are one of the 3.
 

blackice

Level 10
Verified
This is both interesting and concerning. It would be interesting to know who are the 3 AV vendors are, but it's more than likely the ones already mentioned. I wouldn't be surprised if all the US AV vendors are scurrying around trying to figure out if they are one of the 3.
Supposedly they have been informed. I think the Ars article was updated. Interestingly the commenters on Ars seem skeptical if this is real or not based on the scant evidence provided. It’s either a hoax or very concerning.
 
Last edited:
Status
Not open for further replies.