“Immediate action was taken to quarantine the lab”
UPDATED 23:45 GMT with amended comment from Symantec, AdvIntel.
Trend Micro today admitted it had suffered “unauthorised access to a single testing lab network by a third party”. The comment came after New York-based threat intelligence company Advanced Intelligence (AdvIntel) claimed three cybersecurity companies had been penetrated by a Russian hacker group dubbed Fxmsp.
Computer Business Review has obtained the names of all three of the companies allegedly hacked. Trend Micro is among them and was responding to our request for comment. Symantec (Norton), which denies the claims, is the second. McAfee is the third the threat group named. It says it “found no indication that McAfee products, services or networks have been impacted by the campaign described.”
In a report published Thursday, AdvIntel said the Russian-speaking group Fxmsp had been selling alleged source code and network access to the three for $300,000 on Russian dark web forums, claiming it had 30TB of aggregated data.
(The threat group’s modus operandi included accessing network environments via externally available Remote Desktop Protocol (RDP) servers and exposed active directory accounts, the company added, saying the group also claimed to have developed a credential-stealing botnet capable of infecting high-profile targets.)
Trend Micro Response
A Trend Micro spokesman told us: “We have an active investigation underway related to recent claims, and while it is not complete, we want to transparently share what we have learned. Working closely with law enforcement, our global threat research and forensic teams are leading this investigation.”
They added: “At this moment, we are aware that unauthorized access had been made to a single testing lab network by a third party and some low-risk debugging related information was obtained. We are nearing the end of our investigation and at this time we have seen no indication that any customer data nor source code were accessed or exfiltrated.”
“Immediate action was taken to quarantine the lab and additionally secure all corresponding environments. Due to the active nature of the investigation, we are not in a position to share any additional information, but we will provide an update when additional insights become available and can be disclosed.”
The comment is the first confirmation that a story met with widespread scepticism has some credibility. AdvIntel’s minimal online presence and “pop-up” nature had left security professionals sceptical. Computer Business Review has confirmed that the company’s founder, Yelisey Boguslavskiy, previously worked at Flashpoint and spoke to him by telephone today on a US mobile number, where he said he left Flashpoint to set up his own company in March and remained confident that his sources were credible.
He admitted that without paying for the stolen data it was hard to confirm the extent of the breaches, but the evidence he had seen convinced him that there had been a legitimate breach. In an updated statement he admitted that there was not enough evidence to sustain a claim that Symantec had been hacked.
Symantec, whose CEO recently abruptly stood down last week after the company issued a profit warning late Thursday, said it had “no indication” it was affected.
A company spokesman told Computer Business Review in an emailed comment: “Symantec is aware of recent claims that a number of US-based antivirus companies have been breached. We have been in contact with researchers at AdvIntel, who confirmed that Symantec (Norton) has not been impacted. We do not believe there is reason for our customers to be concerned.”
AdvIntel admitted in a message to Computer Business Review that Fxmsp not provided “sufficient evidence to support this allegation [that Symantec was hacked].” The company added: “We believe with a high degree of confidence that Symantec’s assessment of risks and their statement that ‘there is no reason for our [Symantec] customers to be concerned currently’ is correct.”
Furnishing more details about the breach, he shared a screenshot and translation of communications with the Fxmsp group, which told his company re. the alleged source code it was selling: “Our specialist identified through binary tags that these are not debuggers”. (Translation below).
- (01.05.2019 12:04:06) fxmsp: The [AV] company changed file extensions deliberately: so it will be impossible to immedately identify the files as source code
- (01.05.2019 12:04:25) fxmsp: Our specialist identified through binary tags that these are not debuggers
- (01.05.2019 12:04:57) fxmsp: Simply, the extension is not the same as real format, so you’ll need to look at the binary and headers.
- (01.05.2019 12:06:01) fxmsp: Choose a necessary folder – check all files in binary format – look at headers within files, change extensions based on headers – after, execute in a format you need
- (01.05.2019 12:07:03) fxmsp: one AV company kept their source code with no extension in order to confuse anyone who is trying to identify source code by extensions, this is a usual practice in such companies who develops software
(01.05.2019 12:07:11) fxmsp: all in all, think about it yourself
Boguslaskiy told Computer Business Review: “We strongly believe that this intelligence serves the public interest and should be available for review giving the latest supply-chain breaches and attacks that could potentially stem from [these] breaches.”
He added: “[With regard to] proxy sellers, we provide intelligence into four aliases and the most important operators: Nikolay, BigPetya, Antony Moricone, and Lampedusa.”
“AdvIntel identified that the most recent activity of Fxmsp sellers concentrated on the mid-tier Russian language hacking forum Omerta. However, May 11, 2019 they have deleted all of their posts and offers. AdvIntel has likely disrupted their selling network and forum operations.”
In a further call, the 27-year-old said he understood that his company’s initial claims had been met with some scepticism owing to the “newness” of AdvIntel (which was only founded in March after the former threat analyst left Threatpoint, but he was confident in the quality of his teams’ intelligence.
Questioned on the extent of the breaches, he said: “We were only demonstrated a segment of the data, but they appeared to have 30TB. In terms of what a potential buyer could do with that, it depends on their skillset in extracting source code.”
“In terms of the risks from the group itself, they said that they are typically targeting AV [antivirus] companies so that they can make their own offensive malware more efficient. They were saying the improvement of the botnet was the main aim.”