‘Brazen’ Lapsus$ ransomware group menaces Big Tech

Recent data breaches at NVIDIA, Samsung and Ubisoft have brought a new cybercrime group to light: Lapsus$. Here’s what we know about the malicious hacking crew that’s been targeting Big Tech.

The Lapsus$ ransomware gang poses a new and alarming cyberthreat: It’s not just extorting technology industry victims, but also breaching highly sensitive keys that can be used in malware to target mobile devices and PCs.

Since storming onto the cybercriminal scene last December with a breach of Brazil’s health ministry, Lapsus$ has compromised networks at NVIDIA and Samsung, stealing hundreds of gigabytes of data from the Silicon Valley chip maker and the Korean electronics giant. On Friday, the group claimed responsibility for another breach of video game company Ubisoft.

Although it may take months of forensic investigation to reveal the full impact of Lapsus$’s recent data breaches, some nasty consequences have already emerged. Experts are already starting to see malware that implements certificates that NVIDIA uses to code sign graphics card drivers. And it may only be a matter of time before sensitive data stolen in the Samsung breach is incorporated into cybercriminal tools targeting Galaxy smartphones or other popular devices.

Because Lapsus$ posts messages in Portuguese, it’s speculated that they’re based in Portugal or Brazil. The cybercrime group appears to be actively recruiting members and seeking new targets, according to Toronto-based cyber threat intel researcher Cheryl Biswas.

“They are running a poll on whose source [code] to leak next. Brazen. Very confident. And getting a lot of press for their conquests,” Biswas told README. “Big game trophies with Samsung, NVIDIA. They hit major telecommunications firms earlier this year too.”

Biswas, who writes the CyberWatch blog, said Vodafone may be Lapsus$’s next victim. The ransomware group claimed on its Telegram account that it has access to hundreds of gigabytes of company source code and is threatening to leak it.

The stolen data could also be abused to compromise software supply chain security, Biswas said.

The Lapsus$ attackers “know today’s developer world is all about online repositories and sharing,” she said. “This group is going after source code.”

South Korea-based electronics giant Samsung suffered a recent data breach at the hands of the Lapsus$ ransomware group. DennisM2/Flickr

Tech companies respond

An NVIDIA spokesperson said the company became aware of a “cybersecurity incident” on Feb. 23 and responded by hardening its network, calling in cybersecurity incident responders and notifying law enforcement.

“We are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online,” the spokesperson said. “Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.”

For its part, Vodaphone is investigating Lapsus$’s claims, CNBC reported last week.

Ubisoft confirmed in a statement Thursday it had experienced a “cyber security incident” that temporarily disrupted some games and services.

A Samsung spokesperson confirmed its own recent data breach involved some source code relating to Galaxy devices but that it didn’t include personal information of customers or employees.

“Currently, we do not anticipate any impact to our business or customers,” the spokesperson said. “We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”

Nick Bown, U.K.-based CISO of fintech startup Qorbital, said the Samsung data breach could point to a “culture of lax security” at the company.

“Mobile devices are a massive part of people’s lives but Samsung seem to place features and the sales cycle ahead of security,” he told README.

A string of breaches

Lapsus$ made itself known to the world last December, when the group announced it had breached about 50 terabytes of COVID19 vaccination data from the Brazilian Ministry of Health.

The attack was another example of ransomware that not only encrypts data, but also steals it. Many organizations have become better at backing up critical data, so they may opt to restore from backups rather than pay cybercriminals when they’re hit with ransomware. But backups can’t stem the damage of a data breach, so ransomware developers now often create malware that threatens the confidentiality as well as the availability of victims’ networks. The new threat is, “pay our ransom our we spill your secrets.”

On New Year’s Day, Lapsus$ took credit for a ransomware attack that struck Impresa, Portugal’s largest media company. Impresa is the owner of SIC television network and Expresso, one of Portugal’s most popular newspapers. Lapsus$ threatened to leak data, warning Impresa that it had access to its AWS cloud infrastructure.

Impresa assured its customers that the company was doing what it could to recover from the attack.

Lapsus$ went on to target larger victims and used Telegram to post a message claiming responsibility for the recent NVIDIA hack. The group says it has breached a total of 1TB of sensitive data, which includes source code and schematics for firmware and drivers, plus usernames and cryptographic hashes linked to over 70,000 NVIDIA employees.

Lapsus$ explained via Telegram that the group wanted NVIDIA to facilitate cryptomining by removing its “lite hash rate” or LHR technology that detects when graphics cards are being used to mine Ethereum and limits their performance. NVIDIA is a top producer of graphics cards, which are used to mine cryptocurrency.

The ransomware group said in imperfect English:

“We decided to help mining and gaming community. We want NVIDIA to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder. If they remove the lhr we will forget about hw folder (it’s a big folder). We both know lhr impact mining and gaming.”

Lapsus$ didn’t stop at NVIDIA. On March 4, the group announced the Samsung breach.

The 190GB of stolen data allegedly includes source code for Samsung’s activation servers, source code of Samsung’s technology of authorizing and authenticating user accounts, source code from chipmaker and Samsung supplier Qualcomm, source code for the bootloaders of all recent Samsung devices including their top-selling Galaxy series, biometric unlocking algorithms for mobile devices, and source code for every Trusted Applet installed in Samsung’s TrustZone security buffer, including cryptographic and access control data.

As Casey Bisson, head of product growth at code security platform developer BluBracket, told Threatpost, “If Samsung’s keys were leaked, it could compromise the TrustZone environment on Samsung devices that stores especially sensitive data, like biometrics, some passwords and other details.”

Lapsus$ represents a combination of several cybercrime trends: Ransomware groups adding data theft extortion; international online recruitment; and malware made with breached cryptographic keys. If the chatter on their Telegram channel is any indication, they’re here to stay.