Lapsus$ hack leaves NVIDIA in a tight spot

According to an IBM report, ransomware was the top attack type (again) in 2021. Recently, NVIDIA confirmed the hack attack that compromised their internal systems. The infamous hacker group Lapsus$ claimed credit for the attack. Later, Lapsus$ also hacked Ubisoft.

Lapsus$ broke into NVIDIA’s internal network and managed to steal sensitive data–from hashed login credentials to trade secrets. The hackers wanted NVIDIA to remove the mining hashrate limiters on their RTX 3000-series GPU as ransom. Lapsus$ said if NVIDIA failed to agree to their demand by March 4, they would leak the latter’s trade secrets. And NVIDIA didn’t submit to their ransom demand.

Later, the hackers leaked NVIDIA’s official code signing certificates. Now, bad actors are using them to bypass Windows Defender’s built-in executable verification and sneak in malware. The hackers can make malicious programs look like legit NVIDIA software. 

Lapsus$ started leaking employee credentials and proprietary information as downloadable files on the internet. NVIDIA found out about the breach on February 23. The company also said the breach would not disrupt its business.

The hack happened in mid-February, and Lasus$ stole one terabyte of data, including a substantial amount of sensitive info on GPU designs, source code for an NVIDIA AI rendering system known as DLSS usernames and passwords of more than 71,000 NVIDIA employees. 

Download our Mobile App

In the wake of the breach, NVIDIA has stepped the security, reached out to law enforcement, and is now working with cybersecurity experts to deal with the attack. 

In 2019, Stratosphere Labs looked at a remote access trojan (RAT) known as Quasar and said it had been used for cyberattacks against Ukraine. As per samples uploaded on VirusTotal, the stolen certificates were used to sign Cobalt Strike beacons, Mimikatz, backdoors, and RATs (malware and hacking tools). 

In the same tweet thread, cybersecurity researchers Kevin Beaumont and Will Dormann (CERT Coordination Center) posted the serial numbers of the stolen certificates.

So, no ransom?

The hack compromised NVIDIA servers. Apart from the demand to remove the mining hashrate limiters on the company’s RTX 3000-series graphics cards, the hackers have also asked NVIDIA to make their drivers open-source and distribute them under the free and open-source software (FOSS) license.

Later, the hackers revised their demands and called upon NVIDIA to remove the lite hash rate (LHR) in its GPUs.

Less than a week after the NVIDIA breach, the hackers claimed an attack on Samsung. In a description of the upcoming leak, Lapsus$ said the hacked data contains “confidential Samsung source code” like source code for every Trusted Applet (TA) installed in Samsung’s TrustZone environment used for sensitive operations (e.g. hardware cryptography, binary encryption, access control; algorithms for all biometric unlock operations; bootloader source code for all recent Samsung devices; confidential source code from Qualcomm; source code for Samsung’s activation servers; and full source code for technology used for authorizing and authenticating Samsung accounts, including APIs and services.

Lapsus$ put the data under three compressed files worth 190 GB and is now available for free download in Torrent.

Ubisoft also reported a “cybersecurity incident” involving Lapsus$. On March 11, Ubisoft said the hack impacted numerous games, services and functions in its internal systems. Although the company did not disclose how it happened or who did it. 

“As a prudent step, we began a company-wide password reset. Also, we can confirm that there is no evidence any player’s personal information was accessed or exposed as a by-product of this incident,” Ubisoft said in a statement.

Lapsus$ claimed responsibility for the attack in its Telegram channel.