A group of skilled Russian hackers with a history of infiltrating high-profile targets claim to have stolen the source code used by three major anti-malware vendors based in the United States. Much about this story has yet to be verified, but if true it could force numerous businesses to overhaul their cyber security systems.
The names of the three hacked companies were not released to the general public, but a report from BleepingComputer that cites messages from private underground forums indicates that Symantec, McAfee, and Trend Micro were struck. Of the three, only Trend Micro has confirmed that they were hacked as of this writing.
The Russian hackers
The anti-malware vendors were breached by Fxmsp, a hacking group that has been targeting high-profile corporate entities throughout the world for some time now. They are based in Russia but do not appear to be state sponsored.
The Russian hackers have a track record of selling stolen corporate secrets on underground forums that dates back to at least early 2018. They have offered items from the Ghana Ministry of Finances, the Bogota Electronic Government Database, Luxury Hotels Group, Keystone Bank and DeltaWestern Petroleum among others.
Security firm Advanced Intelligence LLC (AdvIntel) tracks Fxmsp, and security researchers reported that the group had re-emerged in March after not having been seen for several months. Fxsmp was offering to sell the data of three unspecified U.S. anti-virus firms, claiming to have exfiltrated over 30 terabytes of data including source code. The Russian hackers displayed screenshots with segments of code as well as folder and file structure as evidence of their exploits. AdvIntel verified that the folders contain base code and development documents among other sensitive items.
The Russian hackers offered the full set of data for $300,000, including access to the networks of the three companies they breached. The group’s MO in the past has been to offer an initial sale for a large amount of money on forums, but to then quietly re-sell the data several times for smaller amounts after the first sale is concluded.
How bad is it?
Assuming that the source code is legitimate and will end up in the hands of cyber criminals who intend to make use of it at some point, this is dire.
It is very important that the affected anti-malware vendors notify the public as soon as possible if their source code has indeed been compromised by the Russian hackers, as it means that it is only a matter of time before their products are barraged with waves of new exploits.
Of course there is an economic incentive to not own up to the hack as it would destroy sales and subscriptions, so don’t expect this to happen unless the hand of these companies is forced.
Businesses that are using security products from the affected anti-malware vendors should keep a close eye out for any news coming from them, and at the very least begin exploring alternatives that could be implemented relatively quickly.
Is this legitimate?
There is some question about the legitimacy of AdvIntel’s report. The company is very new, and has only recently put up a website and acquired security certificates. It’s not unheard of for smaller, low-profile security firms to break news such as this; they are often the most eager to track goings-on on the “dark web” and publish this information to build their reputation. However, the fact remains that the company is a virtual unknown.
However, if there are any shady goings-on here it is most likely the Russian hackers putting up a front to advertise and establish the value of the illicit haul. That scenario wouldn’t mean that they aren’t actually holding all the data they claim to be; Trend Micro’s confirmation that they were hacked during the time period and the detailed amount of information published indicate that this is most likely legitimate.
Why the anti-malware vendor source code is so important
Capturing the source code to anti-malware software and algorithms effectively gives you the keys to the kingdom. It allows the hackers holding it to more quickly test and scan for new vulnerabilities. Criminals in possession of source code can often devise novel exploits that have not been seen before and deploy them before anyone in the cybersecurity field is aware of them or ready for them. A big catch here is that the source code must be recent; older source code may not be nearly as useful to an enterprising hacker. This is yet another reason why a detailed briefing on the matter by any security companies that were hacked would be very helpful to their customers.
Given the depth of their apparent access and the length of time the Russian hackers appear to have spent on the target networks undetected, one also has to wonder if Fxmsp left malicious software or other backdoors for future access behind. Their promise of throwing in network access with the purchased data indicates that they did this very thing. There will be big questions about the security of any company associated with this hack that will persist for some time – something particularly worrying for a company that is supposed to be providing security and anti-malware services.
What companies should be doing
It is unfortunate that the companies involved are neither issuing clear denials nor confirming exactly what happened and what was stolen. That does a great disservice to their customers, who are left wondering if and when their security software may be so compromised as to no longer be useful.
At minimum, companies using these anti-malware services will want to keep a close eye on the news. It will be important to know as soon as possible if any of the allegedly hacked companies confirm the breach, if any new exploits related to their products are seen in the wild or if they issue a categorical denial regarding the hacks.
In the meantime, exploring alternatives to these products is also probably going to be a prudent idea. It may not make fiscal sense to make a switch before there is a firm confirmation of all of this, but it would be a very good idea to have a changeover plan in place and ready to launch as quickly as possible should this happen.