It is difficult to fathom that a threat actor may be able to breach the networks of a reputed security company. Yet, this is not only possible but also happened in the past; and it is not far-fetched to believe that it is the case with at least three antivirus makers, as reported by BleepingComputer earlier this week.

The world learned in 2012 that hackers had breached Symantec networks six years earlier and made off with the source code for Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere.

In 2015, Kaspersky announced that its internal network had been infiltrated by a threat actor interested in learning about the technology the company developed for its secure operating system, Fraud Prevention, Security Network, and Anti-APT solution, and services.

As a side note, Bitdefender was in the limelight the same year when a hacker tried to extort the company for $15,000 after stealing non-encrypted login customer data. This was possible because a server was running an outdated software package, as a result of a human error.

In all three cases, the companies said that the incident did not have lasting effects or a significant impact. Symantec’s source code was for old products; with Kaspersky, the intrusion was caught early and gave the company insight into the adversary's tools and infrastructure; and Bitdefender said the leak affected less than 1% of their SMB customers.

Fxmsp hackers up the ante

A Russian hacker group known on underground forums under the name Fxmsp started advertising in April that they had persistent remote access to the networks of multiple antivirus companies with offices in the United States.

They offered to sell access along with source code related to various products from the victims: antivirus software base code, artificial intelligence model, customer panels, web security software, and utilities.

An instant message communication indicates that Fxmsp was able to get their hands on the source code from at least two companies.

The message below offers some details about the protections the hackers had to overcome in order to identify the source code files: one company changed the file extensions on purpose, while another removed all extensions in an attempt to make it more difficult to identify the nature of the files.

Here's an adapted version of the translated image:

(01.05.2019 12:04:06) fxmsp: the company changed the extension specifically to not immediately be possible to know that this is the source code

(01.05.2019 12:04:25) fxmsp: our specialist identified from the binary headers that they were not debug executables

(01.05.2019 12:04:57) fxmsp: the extension itself is not what it looks like, you need to look at the tags in the binary

(01.05.2019 12:06:01) fxmsp: select the desired folder - parse all files into binaries - look at the tags in the files, change the extension based on the tag - after running in

desired extension format

(01.05.2019 12:07:03) fxmsp: in one company, the source code was kept without any extension at all to confuse anyone who wants to look for source code for the extension, it is normal practice in such companies that are engaged in software

(01.05.2019 12:07:11) fxmsp: in general, see for yourself

Yelisey Boguslavskiy, director of security research at fraud prevention firm Advanced Intelligence (AdvIntel), told BleepingComputer that it took 6 months for Fxmsp to breach the AV companies and the operation was orchestrated by two teams; a partner based in the U.S. and another in Taiwan.

While there is no official confirmation of the names of the three antivirus companies Fxmsp breached and an FBI investigation is underway, Boguslavskiy has told BleepingComputer that "one of the victim antivirus firms has acknowledged the existence of the incident to us."

Some people have said on Twitter and Reddit that the victims are Symantec, McAfee, and Trend Micro. However, they offered no evidence to support the assertions.

Boguslavskiy told us that AdvIntel is currently working with trusted parties to remediate the breach and keep victim information protected. A fourth antivirus company may also have been hacked, but it's name and location remain unknown.

Marketed over encrypted chat

Through a network of sellers, the group said that the price for the bundle was $300,000 for each victim company. Some online aliases of the sellers are Antony Moricone, Lampeduza, Nikolay, and BigPetya. In a chat, Fxmsp said that the last two were likely the same person.

Here's the automated translation of the image:

and you know people,

which now continues to on forums twittering similar accesses - Nikolay, BigPetya, - you previously, the same accesses were sold. I understand the team worked

(3:03:25) fxmsp: most likely this one person under different nicknames

(3:03:51) fxmsp: I have a partner, he works with him

Fxmsp claims to have developed botnet malware that can infect high-profile targets and exfiltrate sensitive credentials. They are selling this as well with it costing $25,000 for the full version and $5,000 for a less potent variant.

Here's an adapted version of the translated image:

(3:16:52) like the way your botnet? you've been missing for six months everywhere.

(3:17:08) fxmsp: in development

(3:17:21) fxmsp: 59 days left to launch

(3:17:34) fxmsp: it's not really a botnet, it will be steeper

(3:18:10): how is it, if it is possible to ask?

(3:18:41) fxmsp: it description prepare guys, when will be ready skins, there are a lot different functions

(3:19:16)) /: OK! don't forget, plz))

(3:20:03) fxmsp: on sale will full version of is worth 25K

(3:20:09) fxmsp: simplified 5K

(3:20:18) fxmsp: but he something, on this so

According to AdvIntel, who collected evidence from Fxmsp's chats, the hackers are specialized in "accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory."

Fxmsp advertised access to a diverse host of victims comprising businesses in the following activity fields: manufacturing, energy, financial, government, air transport, food, and education. Below you can see a larger list with their offers:

Active Directory access claims

An announcement in October 2018 from seller one of Fxmsp's sellers BigPetya, offered access to internal servers of multiple entities. Among them was Reliance Industries Limited, an Indian giant with a diverse activity in the energy, petrochemicals, textiles, natural resources, retail, and telecommunications sectors.

The seller advertised "full access with admin rights, all server counts and all PCs on the network" (automated translation) and "access to the domain controller."

Domain controllers are an essential part of Active Directory (AD) services as they manage access to Windows domain resources. They store user account information, are responsible for user authentication and for enforcing security policies on the domain

Claiming that they have this level of access is definitely concerning as it provides full access to the Windows network and to all of the resources connected to it.

In screenshots from AdvIntel showing evidence of Fxmsp's access to internal folders belonging to one of the victims, the graphical user interface seems to support the hacking group's claims of reaching the Active Directory.

Huy Kha, an expert in Active Directory security, told BleepingComputer that the screenshot above "actually looks like the Domain Controller of a Windows Server 2012 R2."

For comparison, he provided the screenshot below from his test Domain Controller, saying that the attackers probably had access to the domain network server and that this was likely the result of compromising a high-privileged user in the Active Directory.

Kha's theory also includes the remote desktop access claims, saying that by default, only users in the Domain Admins, Enterprise Admins, and Administrator groups can enable RDP externally on a Domain Controller.

Users with this level of permissions would have access to the Remote Desktop setting on the server and could turn it on over the internet. By default, the option is inactive.

"RDP via external way to the DC is actually disabled by default, but the attackers could enable it, because it seems like they compromised a high-privileged user in the domain," Kha assumes.

This theory would explain how Fxmsp may have established persistent access to a victim's network. Kha says that an organization barely have visibility in their Active Directory environment to see what’s going on the network.

Active Directory does not come insecure by itself, the expert told us, but poor management is the main causes for weakening its default security.

He offers some tips for keeping Active Directory safe from potential intrusions and one is to make sure that they understand the role of the Domain Admin group and bestow the privilege only to users with the right job attributes for promoting a Domain Controller or raising a domain's functional level.

If delegating rights can't be avoided, this is best done with the principle of least privilege in mind. Also, sharing admin accounts is far from being a healthy practice.

Another measure is to limit access to the DC. Denying workstations to workstation communication besides of non-IT departments (accounting, marketing) is a good way to close the routes of an attacker. Otherwise there’s an lateral movement problem.

Update [05.13.2019]: The names of the victim antivirus companies Fxmsp was trying to sell access to on underground forums has been revealed. A cache of communications from the hackers indicate that they were at least inside the networks of McAfee and Trend Micro and stole source code from them. You can see the response from three antivirus makers in this article.