Japanese security conglomerate Trend Micro has wrapped up an internal investigation after falling victim to a security incident that saw one of its own testing lab environments breached – with alleged source code and network access later offered for sale on the Dark Web.
Russian-speaking group Fxmsp had been touting the data for $300,000 on Russian forums, claiming it had 30TB of aggregated data. The incident was of some embarrassment for Trend Micro, which runs arguably the world’s largest bug bounty programme, the Zero Day Initiative.
It had been first reported by New York-based threat intelligence company Advanced Intelligence (AdvIntel), based on its interactions with the threat actor. AdvIntel initially reported Fxmsp’s claims that three cybersecurity companies had been penetrated by a group it dubbed Fxmsp: Trend Micro, Symantec and Norton.
Fxmsp had “confirmed that they have exclusive source code related to the companies’ software development” the company wrote in a blog. This was not substantiated: Symantec and Norton denied outright that they had been breached, although Trend Micro had indeed suffered a notable security incident.
A Trend Micro spokesman told Computer Business Review: “We have concluded our internal investigation into the recent claims of an intrusion into one of our testing lab environments, and as promised, we are sharing a summary of our key findings. Trend Micro source code and customer data remains secure.”
“Evidence shows that during the unauthorized access to a single testing lab environment, the malicious group Fxmsp obtained artifacts used for debugging purposes. Remediation measures were immediately implemented, and we continue with further hardening of our systems and policies.”
The company added: “Our highest priority remains protecting our customers and partners, and we remain committed to this.”
“This incident reinforces the message that every organization must constantly remain vigilant with their security measures as hackers continue to sharpen their attack methodologies and widen their attack surface.”
Fxmsp had told Advanced Intelligence researchers that it accessed network environments via Remote Desktop Protocol (RDP) servers and exposed Active Directory accounts. It also claimed to have developed a credential-stealing botnet capable of infecting high-profile targets.
AdvIntel’s Yelisey Boguslavskiy told Computer Business Review: “AdvIntel had never suggested that the three cybersecurity companies had been breached by the Fxmsp actor group, we have published their claims, and we work to enable successful identification and disruption of the compromised network access that allowed to mitigate the companies exposure to this threat.”
He added: “AdvIntel has emphasized multiple times that the scale of the incident is massive due to the user exposure of Trend Micro customer base”, claiming the “stolen symbol and debugging files enable the Fxmsp group to… expand the anti-virus exploitable attack surface and exploit the intricacies of the original confidential source code itself.”