In three years, the attacker compromised about 135 companies in 44 countries around the world. According to the minimum estimates, Fxmsp's profit for the period of its activity could be $ 1.5 million (about 100,000,000 rubles), and this does not take into account sales in "private", lots without specifying prices, as well as repeated sales of accesses in the network of victim companies.
Materials to establish the alleged identity of Fxmsp have already been transferred to international law enforcement agencies.
Despite the fact that Fxmsp was mentioned in public sources earlier, Group-IB for the first time described in detail the course of the investigation and the facts that were not previously disclosed. It is possible that the hacker continues to hack the networks of companies and is still dangerous. With this in mind, the researchers published a report containing not only data on the tools and tactics of Fxmsp, but also their recommendations for protection in order to prevent new crimes.
Group-IB Threat Intelligence experts began to record the growth of proposals related to the sale of access to corporate networks, starting in 2017 - with the appearance on the hacker scene of Fxmsp. At that time, the forums were mainly flooded with offers for access to hacked sites, single servers, and accounts. But in the second half of 2017, in the “elite” niche of selling access to corporate networks, the most noticeable player and the absolute leader in terms of the number of lots was the seller with the nickname Fxmsp.
Over time, he created a new trend in the underground community, making the sale of access not a commodity, but a service - with the provision of privileged access to the network of victim companies for his clients.
The main activity of Fxmsp fell on 2018. After that, the niche was empty for some time, and since the beginning of 2019, the cybercriminals have had followers who are active today, adopting the Fxmsp technology. According to a Group-IB study, since the beginning of 2020, about 40 cybercriminals have been trading Fxmsp on underground forums. In total, during this time, more than 150 lots were displayed for the sale of access to corporate networks of companies in various industries.
An expert report traces the activities of Fxmsp from the first registration on an underground forum, to its disappearance from hacker sites. Fxmsp did not specialize in compromising specific companies. The top 3 victims are light industry enterprises, IT service providers and retail. Among the companies attacked by Fxmsp was also "big fish": for example, four companies are included in the Global 500 rating | Fortune 2019. Fxmsp's track record includes banks, fuel and energy complex, telecommunications operators, as well as organizations in the energy sector. One of them suffered from a ransomware attack in the summer of 2020. By this time, services from Fxmsp had not been offered in the underground for 8 months.
Together with his accomplice, known as Lampeduza, who took over the advertising and support of all transactions, in the period from October 2017 to September 2019, Fxmsp put up for sale access to 135 companies from 44 countries, including the USA, Russia, England, France, Italy, Netherlands, Singapore, Japan, Australia and many others. Despite the unwritten law in the underground environment not to work "on RU", Fxmsp sold two lots for Russian victims, for which it was "banned" by the forum moderators, but this did not stop the criminal.
The Group-IB report owes its name to one of Lampeduza's advertising posts. Having gained prestige in the underground environment, the group acquired regular customers. Lampeduza was involved only at the monetization stage, while Fxmsp was involved in all stages of the attack, including scanning the IP range in search of an open RDP port 3389, brute-force, network pinning, and backdoor installation.
The Fxmsp nickname became widely known in May 2019 after news broke in the media that the Fxmsp group was selling the source code of at least three unnamed antivirus products, valuing them at $ 300,000. One of the companies later partially admitted the fact of compromise, however, evaluating the incident as uncritical. However, by the time the news appeared, Fxmsp had already finished its "public" activities.
The researchers emphasize that so far the most prolific "access seller" is likely to remain at large, posing a threat to companies in a wide range of industries, regardless of where they are located.
Materials to establish the alleged identity of Fxmsp have already been transferred to international law enforcement agencies.
Despite the fact that Fxmsp was mentioned in public sources earlier, Group-IB for the first time described in detail the course of the investigation and the facts that were not previously disclosed. It is possible that the hacker continues to hack the networks of companies and is still dangerous. With this in mind, the researchers published a report containing not only data on the tools and tactics of Fxmsp, but also their recommendations for protection in order to prevent new crimes.
Group-IB Threat Intelligence experts began to record the growth of proposals related to the sale of access to corporate networks, starting in 2017 - with the appearance on the hacker scene of Fxmsp. At that time, the forums were mainly flooded with offers for access to hacked sites, single servers, and accounts. But in the second half of 2017, in the “elite” niche of selling access to corporate networks, the most noticeable player and the absolute leader in terms of the number of lots was the seller with the nickname Fxmsp.
Over time, he created a new trend in the underground community, making the sale of access not a commodity, but a service - with the provision of privileged access to the network of victim companies for his clients.
The main activity of Fxmsp fell on 2018. After that, the niche was empty for some time, and since the beginning of 2019, the cybercriminals have had followers who are active today, adopting the Fxmsp technology. According to a Group-IB study, since the beginning of 2020, about 40 cybercriminals have been trading Fxmsp on underground forums. In total, during this time, more than 150 lots were displayed for the sale of access to corporate networks of companies in various industries.
An expert report traces the activities of Fxmsp from the first registration on an underground forum, to its disappearance from hacker sites. Fxmsp did not specialize in compromising specific companies. The top 3 victims are light industry enterprises, IT service providers and retail. Among the companies attacked by Fxmsp was also "big fish": for example, four companies are included in the Global 500 rating | Fortune 2019. Fxmsp's track record includes banks, fuel and energy complex, telecommunications operators, as well as organizations in the energy sector. One of them suffered from a ransomware attack in the summer of 2020. By this time, services from Fxmsp had not been offered in the underground for 8 months.
Together with his accomplice, known as Lampeduza, who took over the advertising and support of all transactions, in the period from October 2017 to September 2019, Fxmsp put up for sale access to 135 companies from 44 countries, including the USA, Russia, England, France, Italy, Netherlands, Singapore, Japan, Australia and many others. Despite the unwritten law in the underground environment not to work "on RU", Fxmsp sold two lots for Russian victims, for which it was "banned" by the forum moderators, but this did not stop the criminal.
The Group-IB report owes its name to one of Lampeduza's advertising posts. Having gained prestige in the underground environment, the group acquired regular customers. Lampeduza was involved only at the monetization stage, while Fxmsp was involved in all stages of the attack, including scanning the IP range in search of an open RDP port 3389, brute-force, network pinning, and backdoor installation.
The Fxmsp nickname became widely known in May 2019 after news broke in the media that the Fxmsp group was selling the source code of at least three unnamed antivirus products, valuing them at $ 300,000. One of the companies later partially admitted the fact of compromise, however, evaluating the incident as uncritical. However, by the time the news appeared, Fxmsp had already finished its "public" activities.
The researchers emphasize that so far the most prolific "access seller" is likely to remain at large, posing a threat to companies in a wide range of industries, regardless of where they are located.
