Appearing in December 2021, the cybercriminal group Lapsus$ visibly appreciates advertising. The attacks claimed by the group are generally high-flying targets: in January, Lapsus$ claimed responsibility for hacking the Portuguese parliament and a major media group in the same country, the Brazilian health ministry and two South American telecommunications.
Surprising requirements
For a month, the group nevertheless seems to have changed its target typology: after having claimed hacking of the Nvidia company, the group now announces that it has stolen data belonging to Samsung. Nvidia has confirmed “an incident” that affected its systems and caused two days of downtime. The company also said that employee credentials were stolen, as well as internal data, but said it did not detect any trace of ransomware on its system.
Samsung has confirmed an “incident” relating to internal data, which resulted in the theft of source code used by Galaxy devices, but no impact on the personal data of its employees or customers. On the side of the victims, we therefore stick to the greatest caution before communicating.
On the side of the group Lapsus$, it’s another story. The attackers thus announced that they had stolen more than 1 Terabyte of data from Nvidia’s servers. To prove their good faith, they released a first sample of 20GB of stolen files. And the group has also begun to make its demands known: Lapsus$ is demanding that Nvidia abandon its LHR, Lite Hash Rate, technology in the graphics cards it sells.
This technology was introduced by Nvidia in order to limit the interest of its graphics cards for cryptocurrency mining, in order to counterbalance the effects of the shortage that the sector is currently experiencing and to reserve some of its products for gamers, the historical public. from Nvidia. Among the group’s other claims, cybercriminals also want Nvidia to open source the source code of its graphics card drivers.
The damage is done
It is hard to imagine Nvidia complying with such requirements, but the cybercriminal group did not wait to try to do damage by exploiting the stolen data. As security researchers report the group has apparently posted an Nvidia certificate signing tool online and some cybercriminals are using it to issue certificates on behalf of Nvidia for malware.
Certificates are a technology to ensure the origin of an application. The app developer can use their signature tools to certify that the app code is actually theirs, and the user can then verify the origin of the signature by looking at the app details. This feature is also used by the operating system to display certain warnings to a user who would like to install an unsigned application and warn him against possible computer attacks. For some critical applications, the operating system may also prohibit the installation of unsigned code as a security measure.
As Bleeping Computer reports, the data stolen by the Lapsus$ group included at least two certificates used by the manufacturer to sign its applications. And several researchers have found that malicious apps have been signed with these certificates in the days since the attack was claimed. The distribution of these certificates therefore allows cybercriminal groups to digitally sign certain applications on behalf of Nvidia: the certificates have been revoked, but Windows, for example, accepts the installation of drivers using revoked certificates. For an attacker, the use of these tools therefore makes it possible to circumvent some of the protections integrated into the Microsoft operating system.