Euro Security Watch with Mathew J. Schwartz

Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Studying an 'Invisible God' Hacker: Could You Stop 'Fxmsp'?

Successful Hacking Operation Often Relied on Simple, Easy-to-Block Tactics
Studying an 'Invisible God' Hacker: Could You Stop 'Fxmsp'?
Slogan used to sell remote access credentials stolen by Fxmsp, overlaid on a map of victims' locations (Source: Group-IB)

Could your organization withstand an attack by the master hacking operation known as "Fxmsp," which promised to help criminals become the "invisible god of networks"?

See Also: Webinar | Transforming Cybersecurity with Collaborative MDR Solution

Hollywood loves to portray hackers as being like Neo in the movie "The Matrix" - recoding the world's fabric with ninja-like skills - or able to do the Ethan Hunt "Mission Impossible" cyber equivalent of rappelling down air shafts undetected to gain access to the world's most secure bunkers before successfully disappearing without a trace into the night with the corporate crown jewels.

In reality, however, for successful criminals, time is money. (The same also goes for intelligence agencies' hacking teams or affiliates.)

Simplicity, in other words, reigns. That's why if criminals or nation-states want to exploit a network, they'll typically hit it using the simplest, least technical and most inexpensive techniques. (As a bonus for intelligence agencies, if criminals are already using these tactics, then it's tough to tell is there's an espionage angle or not.)

Cue Fxmsp: A recently released report by Singapore-based cybersecurity firm Group-IB recaps the tactics regularly used by Fxmsp, which can refer to both an individual as well as a hacking team gathered by the group's leader that was organized in a sophisticated manner (see: Fxmsp Hackers Behind AV Source Code Heist: Still Operating?).

But the group's hack-attack tactics were often anything but sophisticated. Again, if simplicity works, why complicate things? Notably, one of Fxmsp's favored moves was to brute-force companies' remote desktop protocol credentials. And why not, since even today, this tactic remains cheap, easy and effective?

Another favorite tactic for the group, according to New York-based fraud prevention and risk management firm Advanced Intelligence - also known as AdvIntel - was that after gaining remote access via RDP, the group would move to gain administrative-level access to a firm's Active Directory installation as quickly as possible.

"Compromising AD means that attackers can get access to all the different user accounts and other company systems," Huy Kha, an information security professional at a Dutch law firm who's an expert on Active Directory security, told me last year when Fxmsp's attacks came to light.

Criminal Profits: At Least $1.5 Million

Despite employing some relatively simple tactics, over a three-year period, Fxmsp gained access to 135 organizations' networks across 44 countries, including businesses in the U.S., U.K., Russia, Singapore and beyond, Group-IB says. The security firm conservatively estimates that Fxmsp earned at least $1.5 million as a result.

"This, however, does not include the 20% of companies to which he offered access without naming the price, and the sales he made through private messages," Group-IB says.

Source: Group-IB

Experts say the group was extremely well-organized and used teams of specialists, built a sophisticated botnet and sold remote access and exfiltrated data in the course of perfecting the botnet to help monetize those efforts.

Or at least that was the group's MO until AdvIntel dropped a report in May 2019 documenting Fxmsp's activities. Shining a light on the gang - which relied in large part on advertising via publicly accessible cybercrime forums - caused the group to disappear.

"The Fxmsp hacking collective was explicitly reliant on the publicity of their offers in the dark market auctions and underground communities," Yelisey Boguslavskiy, CEO of AdvIntel, tells me.

After the report's release, he says Fxmsp disappeared from public view, although it's not clear if the hacker with that handle might still be operating privately (see: Hacking Timeline: Fxmsp's Rise and Apparent Fall).

Typical Attack Chain

Study Fxmsp's historical operations, and a less-is-more ethos emerges. "In most cases, Fxmsp uses a very simple, yet effective approach: He scans a range of IP addresses for certain open ports to identify open RDP ports, particularly 3389. Then, he carries out brute-force attacks on the victim's server to guess the RDP password," Group-IB says in a recap.

RDP Exposure

Internet-connected systems with public-facing port 3389 (RDP's default) communications (Source: Shodan, April 2020)

If that gave Fxmsp remote access to the targeted network, Group-IB says the attack would typically proceed through these stages:

  1. Deactivate security: "Fxmsp usually disables the existing antivirus software and firewall, then creates additional accounts."

  2. Add accounts: If able to gain admin-level access to Active Directory, Fxmsp can create additional user accounts and help hide signs of the attack.

  3. Unleash payload: "Next, he uses the Meterpreter payload on servers as a backdoor," and sets it to connect with a command-and-control server only once every 15 days. (What is Meterpreter? Per security firm SentinelOne: "Meterpreter allows an attacker to control a victim's computer by running an invisible shell and establishing a communication channel back to the attacking machine. Its power and versatility have made it a favorite among pentesters, and clearly these qualities have made it equally attractive to bad actors.")

  4. Dump accounts: After accessing admin-level accounts, Group-IB says, "Fxmsp harvests dumps of all the accounts and decrypts them."

  5. Infect backups: As a final move, Fxmsp infects system backups with backdoors. "Even if the victim notices suspicious activity in the system, they will most likely change passwords and perform a rollback to the backup, which has already been compromised. This approach allows him to maintain persistence and remain unnoticed for a long time."

Defensive Recommendations

For network defenders, studying Fxmsp's moves and ensuring they have appropriate defenses in place remains a smart strategy because other attackers continue to use many of the same tricks (see: Ransomware Gangs' Not-So-Secret Attack Vector: RDP Exploits).

Defense experts recommend:

  • Change default RDP port: "Fxmsp uses open RDP ports as the initial attack vector, therefore, the default RDP port 3389 can be edited by changing it to any other," Group-IB notes.
  • Restrict RDP access: Use an RDP gateway and also network-level authentication to prevent anyone from being able to access RDP before they've first authenticated to the network.
  • Use multifactor authentication: Again and again when fresh breaches come to light, a too-common takeaway is that if good multifactor authentication had been in place, hackers woudn't have been able to gain access.
  • Watch for failed passwords: Lock RDP accounts following several incorrect passwords being entered. Also enforce the use of strong passwords (see: Why Are We So Stupid About RDP Passwords?).
  • Secure Active Directory: Start by minimizing the number of administrator accounts as well as access to them.
  • Monitor cybercrime chatter: Operators such as Fxmsp will eventually seek to monetize the attack by posting stolen information for sale. While this may only belatedly bring a breach to light, it can still tip off an organization that it's been hacked.

More in-depth defense recommendations abound, especially for locking down RDP and securing Active Directory.

But the big-picture takeaways are simple: Continue to learn from real-world attacks and ensure you have the right defenses. Above all, don't let simple attacks succeed.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.