Cybersecurity Threat Advisory 0023-19: Anti-malware Vendor Source Code Theft

In light of the recent news about US Anti-malware companies getting hacked and their source code being stolen, SkOUT wants its customers to be aware of the situation and remain vigilant for the next few days as the investigation continues and we get more concrete information. The potential threat has been outlined below, along with risks to watch out for, as threat actors may take advantage of the confusion to scare and scam people.It is important to note that none of the available information on this threat has been independently confirmed or corroborated by any source. 

What is the threat?
A hacking collective comprised of threat actors from Russia, and possibly other countries, claims to have stolen the source code of three enterprise-class anti-malware software companies based in the Unite States. This group has successfully stolen corporate data and/or work products in the past. The theft was reported by Advanced Intelligence, Inc. – a NY based security firm which claims to be in contact with the group. Beyond these points of evidence, we do not have confirmed or corroborated information.


Why is this noteworthy?
Law enforcement has been made aware of the threat by Advanced Intelligence and is working with the Anti-malware firms in question to investigate the issue. Fxmsp has reportedly provided debugging files to Advanced Intelligence. These files are reported to be sufficient to reverse-engineer source code but were provided for only one A/M firm. Advanced Intelligence has not shared these debugging files with anyone except unnamed law enforcement sources. 
Fxmsp has reported that they hold 30TB of total data from the three companies, including development documentation, AI specifications, and source code from the anti-malware tools themselves.
For now, SKOUT has not seen indications that this data is actively in use in attacks.


What is the exposure or risk?
If the theft is legitimate and the code is sold to other attackers, the potential for incursion of companies that use the three vendors is extreme. Source code could be used to create fraudulent updates and/or gain access to update systems, allowing a fraudulent update to be propagated across a customer network to all devices using that anti-malware. This could allow for installation of RAT or other malware and/or the disabling of the anti-malware protection itself.

What can you do?
Currently, there are no indications that the source-code has been verified as legitimate, or if it is the current source-code for the three firms in question. Because of this, there is no immediate remediation guidance.  However, SkOUT recommends remaining alert while dealing with emails and phone calls claiming that they are from your anti-virus vendor, or Microsoft, or Apple, etc. saying that they need access to your computers to “fix” the problem. It’s important to remember that legitimate companies will not call or email asking for any information. They require that you go to their websites or call their information phone numbers before they actively doing anything on your computers – they do not reach out to you except for possibly an advisory email which does not require you to click on a link or open an attachment. You may also see extortion emails claiming to be from the threat actors (Fxmsp) or others that demand you pay them in cash or bitcoin or else they will attack your systems. Please let your IT team and your Security Team or 3rd-Party Vendor know immediately if you receive emails like these. 
References:For more information, please visit the following link:

If you have any questions, please contact our Security Operations Center 855.838.4500 | +1.631.622.9467
Find Trouble Before Trouble Finds You.