May 13, 2019

And the ultimate prize for hacking goes to: Fxmsp, the international cyber-criminal ‘collective’ that apparently got past the network defences of three major anti-virus companies in March – stole their pre-release software and then brazenly put it up for auction online.

As revealed last week, security researchers at Advanced Intelligence (AdvIntel) say Fxmsp infiltrated the US firms and took source code for new anti-virus and other software products. The group is trying to sell the data for $300,000 USD.

By its own account, the hacking collective worked tirelessly for the first quarter of 2019 to pierce these companies defences and finally succeeded in March, extracting sensitive source code from antivirus software, AI, and security plugins. Fxmsp also commented on the capabilities of each company’s software – and even made assessments about their effectiveness.

Hugely embarrassing for any anti-virus firm, which perhaps explains why no one has come forward yet to confirm or deny they’ve been hacked  — though if the claim is true, they will need time to assess the extent of the damage.

And the damage could be considerable. The group claims to have hoarded 30 terabytes (TB) of stolen data, roughly equal to everything the Hubble Space Telescope will produce over three years, or a bit more than the volume of video uploaded to YouTube each day.

More than a pastime

Besides bragging rights, hacking a major security vendor’s source code could be hugely profitable. Other criminal groups and nation state actors would be keen to understand the underlying construction of leading AV software in order to better compromise it.

Having the source code of, say, a Symantec or Kaspersky could also enable future Supply Chain Attacks, where malware is sneaked into legitimate software programmes and applications via infected updates.

Because the software is created by a trusted vendor, its signed and certified safe. Malicious code embedded within can then run on company systems with all the necessary permissions needed to steal data or damage it.

Having secured such a prize asset, Fxmsp has shown it has the commercial nous to profit from it.

The group operates its own IT distribution network of trusted proxy resellers who help it promote stolen products in online criminal marketplaces. It also claims to have developed a credential-stealing botnet capable of infecting high-profile targets and stealing their usernames and passwords.

AdvIntel says the group made more than $1 million USD last year selling its stolen wares.

That level of technical ingenuity and, if we can use the word, ‘professionalism’, confirms again that cyber criminality has evolved well beyond a rag-tag collection of hacking outfits or bedroom malcontents having a go. It’s arguably become a career choice or side-hustle – forming a parallel IT industry of its own.

If tech can’t save us, maybe people can

Against such a determined and well-organised foe, technology companies clearly don’t have much of an edge when it comes to protecting themselves.

Well-known brands like Amazon, Twitter, Equifax, Uber, and Dropbox have all been breached in the last few years. While Facebook – with billions available for cyber defence and due diligence – almost routinely loses data or shares it recklessly with third parties.

Earlier this month we reported on the breach at networking giant Citrix where hackers had camped out on the company’s network for months before being found out.

Penetrating the essential systems of major cyber security vendors and selling their source code is definitely an escalation, but perhaps it was only a matter of time.

From technical vulnerabilities to poor processes and human error, every organisation has invisible weaknesses that can make it vulnerable to breach. Investing in the latest cyber technologies and making sure they are up-to-date is necessary, but technology alone can’t offer a 100 per cent  guarantee.

The best security systems in the world are both susceptible to human error and improvable with human agency. A programme of security awareness training can strengthen them by switching your people on to the risk of data breaches, whether from a phishing email, botnet infection, or an outside caller with an unexpected information request.

With better training and education, staff can help spot the signs of a breach, and avoid enabling them through misadventure and error.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: