An international cybercrime group has attacked the networks of three unnamed US-based antivirus firms and stolen approximately 30 terabytes of data. The group is offering to sell the data, as well as access to the company networks for a sum of $300,000.
As first reported by Ars Technica, the “boutique cybersecurity firm” Advanced Intelligence, Inc., says that a “Russian- and English-speaking hacking collective” called Fxmsp has been trying to work its way into the antivirus firms’ networks for the last six months, and finally became successful on April 24th.
One stolen data seems “to contain information about the company’s development documentation, artificial intelligence model, web security software and antivirus software base code,” an Advanced Intelligence blog said.
Dr. Torsten George, Cybersecurity Evangelist at Centrify, said about the attack: “It’s both shocking and alarming if reports are true that an international cybercrime group has penetrated the company networks of three U.S.-based antivirus firms and stolen more than 30 terabytes of data via a credential-stealing botnet. Organizations – especially antivirus firms – have to assume that bad actors are in their networks already.
Cyber attackers long ago discovered that the easiest way to gain access to sensitive data is via weak, default or otherwise compromised credentials. The reality is that guessing passwords is easier than going up against technology. In fact, a recent Centrify study found that privileged credential abuse is involved in almost three out of every four breaches. Privileged account access provides cyber adversaries with the “keys to the kingdom” and a perfect camouflage for their data exfiltration efforts.
It’s well past time to adopt a Zero Trust approach, powered by additional security measures such as multi-factor authentication (MFA) and privilege elevation, to stay ahead of the security curve. MFA is the lowest hanging fruit for protecting against compromised credentials.”
The posting included what appeared to be a screenshot of a code editor and a Windows Explorer window showing a file structure. One commenter at Ars Technica said the code editor appeared to actually be a decompiler, a tool that tries to reconstruct software source code by analyzing binary data.
Not much else is known about the attack. Questions like whether there any personal information about antivirus company clients in the stolen data, whether malicious hackers could create a more powerful malware if they got a look at antivirus source code, does Fxmsp actually have the source code, or is it just trying to decompile binaries, all remain unanswered.