For a little over two years, a hacker known only as “fxmsp” sold backdoor access to hundreds of corporate networks in 44 countries via Russian-language underground forums, including the systems of several Fortune 500 members. Dubbed “the invisible god of networks,” the hacker pulled in well over a million dollars from clients and became so in-demand that he hired a sales manager.
Tracked for three years by Group-IB, a leading cybersecurity firm working out of Singapore and Moscow, the hacker was eventually undone by a trail of email addresses that led back to a social media profile and a domain registration. His massive success in compromising open default RDP ports widely used for remote desktop communications should serve as a cautionary tale for organizations that are increasingly shifting to a more permanent remote work model as the Covid-19 crisis continues to play out.
Backdoor access to hundreds of companies
“fxmsp” would turn out to be one Andrey A. Turchin of Almaty, Kazakhstan. However, it would take security researchers years to catch up with him after his first appearance on underground hacking forums.
He had been frequenting these forums since 2016, but first announced his services in October of 2017 with an offer of full access to critical network segments of a handful of unrelated organizations. It is believed that he had established backdoor access at a number of companies long before that, but took some time in figuring out how to monetize this access and initially attempted to use it to mine cryptocurrency.
fxsmp’s first year of hanging out a cybercrime shingle, which ran from about October of 2017 to June of 2018, was fairly successful. He reportedly took in about $268,000 during this time, selling access to a commercial bank in Nigeria and a global chain of luxury hotels among others. He did well enough during this period to take on a sales manager to handle requests for his services, a forum user by the name of Lampeduza who had previously been seen selling bank card dumps and stolen Facebook account credentials.
His most lucrative period of selling backdoor access was from August to November 2018, however. After a short break during the summer of that year, he reappeared claiming to have compromised three different antivirus systems (believed to be McAfee, Symantec, and Trend Micro) along with about 60 new companies. fxsmp raked in $1,100,800 during this period.
The pair then disappeared again for a time before once again offering their services between May and September 2019, but this time only offering access to a collection of 22 companies and only making about $124,100 for themselves. Lampeduza confirmed in a December 2019 forum post that fxsmp had gone out of business.
The customers were allowed to trial the backdoor access for a few hours, with the money held in an escrow account during that time.
Group-IB was ultimately able to unmask fxsmp thanks to his thoughtless inclusion of a Jabber account in his early forum postings when he was still attempting to figure out how to make money from backdoor access. This led to an email account, which in turn led to an old domain registration that was made under Turchin’s real name. His identity was further verified by matching information he had posted to one of his social media accounts.
Turchin has been indicted by the United States Department of Justice since the Group-IB report came out. He has been charged with conspiracy to commit computer fraud and conspiracy to commit wire fraud as well as multiple counts of computer fraud and abuse. While he made a tidy profit off of all of this backdoor access, the victims have paid tens of millions of dollars to repair the damage that has been done. Kazakhstan is reportedly assisting in the investigation, but Turchin has not yet been found and arrested.
Turchin’s technique
The hacker’s criminal enterprise centered on exploiting open remote desktop protocol (RDP) ports, particularly the “3389” port commonly used to allow remote access to Windows servers and workstations.
Though fxmsp was highly successful, his approach does not appear to have been particularly sophisticated. It did not seem to involve the development of new tools or finding undisclosed exploits. Instead, the hacker used a variety of IP address scanning tools to find these ports. He would then simply execute a brute force password-guessing attack, filtering down the possibilities by pulling a list of accounts on the server using a specialized tool. He would then usually focus on admin accounts and simply try passwords against them using dictionary files built from previously compromised credentials. Persistent backdoor access was then established throughout the network including in backup files.
Group-IB’s recommendations for countering this backdoor access method is to change the default RDP port from 3389, which will deter anyone simply scanning the internet for blocks of IP addresses looking for low-hanging fruit. Another simple fix is to ensure that a lockout policy is in place, suspending access to the account after a certain number of failed login attempts is reached. In cases of allowing only certain authorized remote workers to access the network in this way, IP whitelists can be set up or a corporate VPN can be used.