Nvidia, one of the largest microchip companies, has been hacked by a group of hackers called Lapsus$. The company became aware of the data breach on February 23rd, the hackers stole employees’ credentials, schemes of GPUs, source code of various firmware, drivers, and proprietary Nvidia software, the total amount of data stolen is about 1 TB.
Although the breach occurred just before the Russian invasion of Ukraine, somebody speculated that the attack could be related to the conflict, Nvidia said that there is no evidence that the attack is related to the conflict between Russia and Ukraine.
Cyber security experts think that the Lapsus$ group could be based in South America and Western Europe and the group states that they are not state-sponsored, but it’s not possible to verify this information.
Initially, the attack appeared to be a ransomware attack. Ransomware is a malware created by the hacker to infect computers and encrypt all data and then ask for a ransom to decrypt all the data. In this case, the company officials said that no malware infected their machines.
The hacker group demanded Nvidia to make its driver open source and to remove the system which limits the performance of the GPUs for mining. The unusual aspect of the way they claimed the breach is that the group used a Telegram channel to communicate their request and to leak the data stolen, usually, other hacker groups use the dark web to publish the data stolen and to claim their attacks.
Nvidia declined to engage with the requests made by the group and shortly after all the stolen data were published by the malicious hackers. The company is now analyzing all the leaked data, but it says the breach would not affect the business continuity and the ability of the company to serve its customers.
A major consequence of the breach has been discovered recently. The attackers are now using the stolen code of Nvidia to sign certificates for malware. This procedure allows the malware to appear trustworthy to the operating system and it would allow the loading of malicious drivers in Windows. Security researchers have already identified the stolen certificates and they published the serial numbers.
The certificates are now expired but Windows still allows the driver signed with these certificates to be installed. The certificates will probably be added to Microsoft’s revocation list in the future to prevent other potential abuse of them, blocking a load of malicious software in Windows signed with these certificates.
After the Nvidia data breach, many other important companies have been attacked by the Lapsus$ group like Samsung, Vodafone, Ubisoft, and Mercado Libre. The most recent data breach involved Microsoft. On the 21st of March, the group posted a 9 GB zip archived with the source code of almost 250 projects of Microsoft. In the post, hackers say that it contains almost 90% of the source code of Bing and approximately 45% of the source code of Bing Maps and Cortana. The uncompressed archive contains almost 37 GB of source code. Microsoft stated that they are aware of the data leak and are investigating.
At the moment it is unknown how the group is breaching these companies. Analyzing past breaches, we know that the main targets usually are repositories that contain source code and other sensitive data. A possible explanation of how hackers gained access to companies’ systems is through corporate insiders. On their Telegram channel, they announced that they are willing to buy network access from employees of various companies.
Author : Renato Iannace