[UPDATE: Companies named and replied] Who watches the watchers? - 3 US Antivirus companies breached

[rcmaehl]

Update: https://www.bleepingcomputer.com/news/security/fxmsp-chat-logs-reveal-the-hacked-antivirus-vendors-avs-respond/
 

Quote

BleepingComputer has obtained exclusive unredacted evidence from fraud prevention company AdvIntel showing communication from the Fxmsp hacker collective naming three of the victims. Below is a conversation about source code files for various products from antivirus companies Symantec, McAfee, and Trend Micro. The chat is between Fxmsp members:

 

Quote

"Symantec is aware of recent claims that a number of US-based antivirus companies have been breached. We have been in contact with researchers at AdvIntel, who confirmed that Symantec (Norton) has not been impacted. We do not believe there is reason for our customers to be concerned."

Quote

"We have an active investigation underway related to recent claims, and while it is not complete, we want to transparently share what we have learned. Working closely with law enforcement, our global threat research and forensic teams are leading this investigation. At this moment, we are aware that unauthorized access had been made to a single testing lab network by a third party and some low-risk debugging related information was obtained. We are nearing the end of our investigation and at this time we have seen no indication that any customer data nor source code were accessed or exfiltrated. Immediate action was taken to quarantine the lab and additionally secure all corresponding environments. Due to the active nature of the investigation, we are not in a position to share any additional information, but we will provide an update when additional insights become available and can be disclosed."

- Trend Micro spokeperson -

Quote

"McAfee is aware of this threat claim targeting the industry. We’ve taken necessary steps to monitor for and investigate it."

Source:

AdvIntel
Arstechnica

BleepingComputer

 

Summary:

A group by the name of FXMSP has breached 3 US antivirus companies and are selling access and source codes for $300,000.

 

Media:

 

Quotes/Excerpts:

Quote

A report published Thursday, researchers at the threat-research company Advanced Intelligence (AdvIntel) revealed that a collective of...hackers are actively marketing the spoils of data breaches at three US-based antivirus software vendors. The collective, calling itself “Fxmsp,” is selling both source code and network access to the companies for $300,000 and is providing samples that show strong evidence of the validity of its claims. AdvIntel, told Ars that his company notified “the potential victim entities” of the breach through partner organizations; it also provided the details to US law enforcement. Fxmsp has a well-known reputation in the security community for selling access to breaches, focusing on large, global companies and government organizations. The group was singled out in a 2018 FireEye report on Internet crime. The group has sold “verifiable corporate breaches,” pulling in profits approaching $1 million. Over the past two years, Fxmsp has worked to create a network of proxy resellers to promote and sell access to the group’s collection of breaches through criminal marketplaces. In March, the group “stated they could provide exclusive information stolen from three top antivirus companies located in the United States,” AdvIntel’s researchers reported in a blog post going live today. “They confirmed that they have exclusive source code related to the companies' software development.” And the group offered privately to sell the source code and network access to all three companies.  Fxmsp had managed to steal source code that included code for antivirus agents, analytic code based on machine learning, and “security plug-ins” for Web browsers. In the past, Fxmsp’s breaches have typically focused on exploiting Internet-connected remote desktop protocol (RDP) and Active Directory servers. But more recently, the group has claimed to have developed a credential-stealing botnet.

 

My Thoughts:

I'm sure within the next couple months either the companies affected by this will disclose the breach or a significant amount of coding changes for certain AVs will give away who was hit. Regardless, It's definitely not fun to hear that the companies that you're using to protect yourself have been breached. When it comes down to it, it's more than likely that this was caused by human error, such as password reuse, or phishing as I'd hope these companies have strict security practices.

[TechyBen]

Quote

The collective, calling itself “Fxmsp,”

What is it with hacking groups these days? Can't they get good names?

 

(PS, I'm only joking. Please don't hack me... I think your name is fine... please don't hack me. You're l33t cool, and I'm not. ).

[ZestyJalapeno]

They're holding the name for ransom, so I'm going to guess the three products... McAfee Total Protection, McAfee Virus Service and McAfee LiveSafe

[TVwazhere]

Anyone else read "AdvIntel" and think to themselves Intel and AMD are playing a tennis match, or is my brain just broken?

 

I wonder if this means anything for consumers using these companies for their antivirus, or if it's just internal company code/access. 

[.Apex.]

I bought Bitdefender like a few hours ago......... but I guess that wouldn't be considered a US company? could be one of them though

[191x7]

1 minute ago, _Syn_ said:

I bought Bitdefender like a few hours ago......... but I guess that wouldn't be considered a US company? could be one of them though

BitDefender is Polish I think.

[.Apex.]

Just now, 191x7 said:

BitDefender is Polish I think.

Romanian, but who knows what they meant

[RejZoR]

13 minutes ago, valdyrgramr said:

Malwarebytes is American.  But that's at least anti-malware.

All antiviruses are anti-malware. Not a single antivirus only detects just viruses in the right meaning of the word (parasitic file infectors).

[RejZoR]

There was a joke?

[Bouzoo]

21 minutes ago, valdyrgramr said:

Will a spork do?

No but a fpoon might.

[Deus Voltage]

44 minutes ago, valdyrgramr said:

Malwarebytes is American.  But that's at least anti-malware.

I honestly don't get the joke, can you explain it?

[Deus Voltage]

8 minutes ago, valdyrgramr said:

People get bitchy when you call Malwarebyes an anti-virus program.

Oh, now I feel dumb

[RejZoR]

1 hour ago, valdyrgramr said:

People get bitchy when you call Malwarebyes an anti-virus program.

That's suppose to be a joke? O_o It's an antivirus. Or Antimalware. It's the same shit. 30 to almost 40 years ago antiviruses detected only viruses and the name sticked since there wasn't anything else. As time passed, all antiviruses eventually evolved into antimalware apps since they had to protect users from other "malware" which is a cover word for any kind of malicious software. Not to mention file infectors are actually very rare these days. I'm floating more in this field and I don't really see people bitching about it which is why I didn't even see it as a joke of any kind...

[XenosTech]

3 hours ago, TVwazhere said:

Anyone else read "AdvIntel" and think to themselves Intel and AMD are playing a tennis match, or is my brain just broken?

Take a nap and come back tomorrow lol

[Lady Fitzgerald]

It would have been nice if someone had told us what the three, and possibly, fourth AV companies were.

[bcredeur97]

only US companies I can think of is Symantec, McAfee, and Malwarebytes

[thedude4bides]

Good thing I don’t use one I guess.  First one that comes to mind is PC Matic.  Their commercials are hilarious.

[Shreyas1]

good thing i use kaspersky

[TempestCatto]

So which A/V's were breached?

[DKL]

Just now, TempestCatto said:

So which A/V's were breached?

Top ones. None named as of yet.

[Fnige]

7 hours ago, valdyrgramr said:

Malwarebyes an anti-virus program.

DID... YOU... JUST... CALL... MALWARE... BITES... AN ANTIVIRUS PROGRAM...

 

[Fnige]

Just now, valdyrgramr said:

Yes because Washu is the greatest!

Why is his sisters on his shoulders?

[captain_to_fire]

What comes to my mind: Symantec, McAfee, Microsoft, Malwarebytes 

 

Tbh this is not the first time this kind of attack happened. Remember in 2012, Symantec’s network got hacked twice in the same year? [source][source] Let’s not forget the Duqu 2.0 attack in 2012 where allegedly, English speaking state sponsored hackers infiltrated Kapersky’s network to steal their code but was stopped when they’re beta testing their enterprise product. [here]

[Thaldor]

2 hours ago, captain_to_fire said:

What comes to my mind: Symantec, McAfee, Microsoft, Malwarebytes

Also Comodo is American.

[williamcll]

Guess I got lucky using slovakian antiviruses (ESET nod32)