Pierluigi Paganini
July 08, 2020
The US Department of Justice has indicted a hacker that goes online with the moniker Fxmsp for hacking over three hundred organizations worldwide and selling access to their networks.
According to the DoJ’s indictment, behind the name Fxmsp there is Andrey Turchin, a citizen of Kazakhstan. The DoJ is charging him with conspiracy to commit computer hacking, two counts of computer fraud and abuse (hacking), conspiracy to commit wire fraud, and access device fraud.
“An indictment was unsealed today in the Western District of Washington charging a citizen of Kazakhstan, ANDREY TURCHIN, a/k/a “fxmsp,” 37, with various federal crimes related to a prolific, financially motivated cybercrime group that hacked the computer networks of a broad array of corporate entities, educational institutions, and governments throughout the world, announced U.S. Attorney Brian T. Moran.” reads the press release published by the DoJ. “The “fxmsp” group established persistent access, or “backdoors,” to victim networks, which they then advertised and sold to other cybercriminals subjecting victims to a variety of cyberattacks and fraud.”
According to BleepingComputer, sources familiar with the case told it that local authorities detained the man in Kazakhstan.
Turchin obtained credentials to target networks by launching spear-phishing attacks and brute-forcing the passwords of remote desktop servers exposed online
Once the hacker gained access to the network, the deployed password-stealing malware and remote access trojans (RATs) to harvest credentials and establish persistence in the system.
The name Fxmsp refers a high-profile Russian- and English-speaking hacking group focused on breaching high-profile private corporate and government information.
Since March 2019, Fxmsp announced in cybercrime forums the availability of information stolen from major antivirus companies located in the U.S.
Between 2017 and 2018, Fxmsp created a network of trusted proxy resellers to promote their breaches on the criminal underground.
Fxmsp used to compromise Active Directory of target organizations and ensure external access through remote desktop protocol (RDP) connections.
Turchin attempted to sell access to these networks on hacker forums (i.e. Exploit.in, fuckav.ru, Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t) and dark web marketplaces for prices ranging between a few thousands of dollars up to over $100,000.
The group also claimed to have developed a credential-stealing botnet capable of infecting high-profile targets and exfiltrate sensitive data, including access credentials.
In 2019, Fxmsp confirmed to have breached the networks of some security companies and to have obtained long-term access.
The group offered access to single companies for $250,000 and is asking $150,000 for the source code of the software. Buyers can also pay at least $300,000 acquiring both, the price depends on the compromised company.
“TURCHIN and his accomplices perpetrated an ambitious hacking enterprise broadly targeting hundreds of victims across six continents, including more than 30 in the United States. Widely known in hacking circles by the moniker “Fxmsp,” TURCHIN employed a collection of hacking techniques and malicious software (malware) to gain and maintain access to victim networks,” continues the press release. “For instance, he often used specially designed code to scan the Internet for open Remote Desktop Protocol (RDP) ports and conduct brute-force attacks to initially compromise victim networks. Once inside the victim’s system, he moved laterally throughout the network and deployed additional malicious code to locate and steal administrative credentials and establish persistent access. The conspirators often modified antivirus software settings to allow malware to continue to run undetected.”
It is important to note that the charges contained in the indictment are only allegations until the suspect will be proven guilty in a court of law.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Fxmsp)
[adrotate banner=”5″]
[adrotate banner=”13″]
